CVE-2025-27505
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-10

Last updated on: 2025-08-26

Assigner: GitHub, Inc.

Description
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-10
Last Modified
2025-08-26
Generated
2026-05-07
AI Q&A
2025-06-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-27505
EUVD
EUVD-2025-17687
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
osgeo geoserver to 2.25.6 (exc)
osgeo geoserver From 2.26.0 (inc) to 2.26.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-27505 is a vulnerability in GeoServer's REST API security where the default security controls protect the /rest path and its subpaths but fail to secure the /rest path when accessed with an extension (e.g., /rest.html). This allows unauthorized users to bypass the REST API security and access the REST API index page, which can disclose information about installed extensions. The issue arises because the security configuration does not properly handle REST API endpoints with extensions in their paths. [1, 2]


How can this vulnerability impact me? :

This vulnerability can allow unauthorized users to access the REST API index page of GeoServer without proper authorization. As a result, sensitive information about installed extensions may be disclosed, potentially aiding attackers in further exploiting the system. Although the impact is limited to information disclosure (low confidentiality impact), it can still pose a security risk by revealing system details to attackers. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if your GeoServer instance allows access to the REST API index page via paths with extensions such as /rest.html without proper authorization. A simple way to test this is to send HTTP requests to the GeoServer REST API endpoints with extensions and observe if access is granted without authentication. For example, you can use curl commands like: 1) curl -i http://<geoserver-host>/rest.html 2) curl -i http://<geoserver-host>/gwc/rest.html If these requests return the REST API index page or other information without requiring authentication, your system is vulnerable. [2]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, modify the GeoServer security configuration file located at ${GEOSERVER_DATA_DIR}/security/config.xml. Change the REST filter paths to /rest.* and /rest/**, and similarly change the GWC filter paths to /gwc/rest.* and /gwc/rest/**. After making these changes, restart the GeoServer service to apply the new security settings. Additionally, upgrading GeoServer to version 2.26.3 or 2.25.6 or later will fully fix the vulnerability. [2, 1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart