CVE-2025-58175

CVE-2025-58175 is a medium-severity vulnerability in Osgeo Geoserver with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.

Key facts

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.

Frequently asked questions

What is CVE-2025-58175?
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
How severe is CVE-2025-58175?
CVE-2025-58175 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability low.
Is CVE-2025-58175 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-58175?
CVE-2025-58175 affects Osgeo Geoserver. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-58175?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-58175 have an EU (EUVD) identifier?
Yes. CVE-2025-58175 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-210278.
When was CVE-2025-58175 published?
CVE-2025-58175 was published on 2026-06-18 and last updated on 2026-06-22.

References

Affected products (1)

More vulnerabilities in Osgeo Geoserver

All CVEs affecting Osgeo Geoserver →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →