CVE-2025-58175
CVE-2025-58175 is a medium-severity vulnerability in Osgeo Geoserver with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 0% (20th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-210278
- Weakness: CWE-20
- Affected product: Osgeo Geoserver
- Published:
- Last modified:
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Frequently asked questions
- What is CVE-2025-58175?
- GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
- How severe is CVE-2025-58175?
- CVE-2025-58175 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability low.
- Is CVE-2025-58175 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-58175?
- CVE-2025-58175 affects Osgeo Geoserver. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-58175?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-58175 have an EU (EUVD) identifier?
- Yes. CVE-2025-58175 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-210278.
- When was CVE-2025-58175 published?
- CVE-2025-58175 was published on 2026-06-18 and last updated on 2026-06-22.
References
- https://github.com/geoserver/geoserver/pull/8622
- https://github.com/geoserver/geoserver/security/advisories/GHSA-x4r9-gmw3-hxww
- https://osgeo-org.atlassian.net/browse/GEOS-11867
Affected products (1)
- cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
More vulnerabilities in Osgeo Geoserver
- CVE-2025-30220 — Critical (CVSS 9.9): GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of…
- CVE-2023-25157 — Critical (CVSS 9.8): GeoServer is an open source software server written in Java that allows users to share and edit geospatial data.…
- CVE-2024-34711 — Critical (CVSS 9.3): GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation…
- CVE-2023-43795 — High (CVSS 8.6): GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The…
- CVE-2023-41339 — High (CVSS 8.6): GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The…
- CVE-2025-30145 — High (CVSS 7.5): GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be…
All CVEs affecting Osgeo Geoserver →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →