CVE-2025-27511
Analyzed Analyzed - Analysis Complete

JNDI Attack via DB2 JDBC URL in GeoServer DB2 DataStore Extension

Vulnerability report for CVE-2025-27511, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-24
Generated
2026-07-09
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
osgeo geoserver to 2.27.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in GeoServer's DB2 DataStore Extension prior to version 2.27.0 allows an administrator to perform a JNDI attack through a specially crafted DB2 JDBC URL. This attack can lead to Remote Code Execution (RCE).

Specifically, authenticated users with access to the Vector Data Sources page can create a new DB2 data store with unrestricted connection parameters. This enables the attacker to exploit the JNDI attack and cause deserialization of untrusted data, resulting in RCE.

The vulnerability is tracked under CWE-502 (Deserialization of Untrusted Data) and has a high severity rating with a CVSS score of 7.2.

Detection Guidance

The vulnerability involves a JNDI attack through a specially crafted DB2 JDBC URL in GeoServer's DB2 DataStore Extension prior to version 2.27.0. Detection would focus on identifying attempts to create or modify DB2 data stores with suspicious or unusual JDBC URLs that could trigger JNDI lookups.

Since the attack requires authenticated users with high privileges accessing the Vector Data Sources page, monitoring logs for creation or modification of DB2 data stores and inspecting JDBC URLs for unusual JNDI references can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Review GeoServer logs for DB2 datastore creation or modification events.
  • Search for JDBC URLs containing JNDI references or unusual patterns in configuration files or database entries.
  • Use network monitoring tools to detect suspicious outbound JNDI lookups or LDAP requests originating from the GeoServer host.
Compliance Impact

The provided information does not specify how the CVE-2025-27511 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The primary mitigation step is to upgrade GeoServer's DB2 DataStore Extension to version 2.27.0 or later, as this version contains the fix for the vulnerability.

Additionally, restrict access to the Vector Data Sources page to only trusted administrators with necessary privileges to prevent unauthorized creation or modification of DB2 data stores.

Implement monitoring and alerting on changes to DB2 datastore configurations and suspicious JDBC URLs to detect potential exploitation attempts early.

Consider network-level controls to block or monitor outbound JNDI or LDAP requests from the GeoServer host to reduce the risk of remote code execution.

Impact Analysis

This vulnerability can have serious impacts including unauthorized remote code execution on the affected GeoServer instance.

Because the attack requires high privileges but no user interaction, an attacker with administrative access can exploit this to compromise the confidentiality, integrity, and availability of the system.

  • Confidentiality impact: Sensitive geospatial data could be exposed or altered.
  • Integrity impact: Data and system configurations could be modified maliciously.
  • Availability impact: The system could be disrupted or taken offline by executing arbitrary code.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-27511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart