CVE-2025-58175
Undergoing Analysis Undergoing Analysis - In Progress
Unauthenticated SSRF in GeoServer via Proxy Base URL

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: GitHub, Inc.

Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2025-58175
EUVD
EUVD-2025-210278
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
geoserver geoserver to 2.27.3 (exc)
geoserver geoserver From 2.26.3 (inc) to 2.27.0 (exc)
geoserver geoserver From 2.27.0 (inc) to 2.27.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate and simplest mitigation step is to ensure that the proxy base URL in your GeoServer configuration ends with a trailing slash if it currently does not contain a URL path.

Alternatively, upgrade GeoServer to version 2.26.4 or 2.27.3 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, adding a trailing slash to the proxy base URL effectively mitigates the vulnerability by preventing the SSRF attack vector.

Executive Summary

CVE-2025-58175 is a Server-Side Request Forgery (SSRF) vulnerability in GeoServer versions 2.26.3 and below, as well as 2.27.0 to 2.27.2, when the ENTITY_RESOLUTION_ALLOWLIST feature is enabled.

This vulnerability allows unauthenticated attackers to manipulate GeoServer into making unintended network requests by exploiting improper XML entity resolution.

It specifically affects GeoServer installations configured with a proxy base URL that lacks a trailing slash or path (for example, https://somesite.org instead of https://somesite.org/).

The issue arises from weaknesses in input validation and XML external entity restrictions, allowing attackers to abuse the server's entity resolution mechanism.

The vulnerability was fixed in GeoServer versions 2.26.4 and 2.27.3.

Impact Analysis

This SSRF vulnerability can allow an unauthenticated attacker to make GeoServer perform unintended network requests.

Such requests could potentially expose sensitive internal network resources or data, leading to a high confidentiality impact.

The vulnerability has a medium severity score (CVSS 6.5) because it can be exploited remotely without authentication but requires a specific configuration (proxy base URL without a trailing slash or path).

A low impact on availability is possible, but integrity is not affected.

Mitigation can be as simple as adding a trailing slash to the proxy base URL or upgrading to patched versions.

Detection Guidance

This vulnerability can be detected by checking if your GeoServer installation is using the ENTITY_RESOLUTION_ALLOWLIST feature and if the proxy base URL is configured without a trailing slash or URL path.

To detect potential exploitation attempts on your network, you can monitor outgoing requests from GeoServer for unusual or unintended network calls that may indicate Server-Side Request Forgery (SSRF) activity.

Suggested commands to help detect this vulnerability or exploitation attempts include:

  • Check GeoServer configuration files for the proxy base URL setting and verify if it lacks a trailing slash. For example, use grep or similar commands:
  • grep -i 'proxyBaseUrl' /path/to/geoserver/config/*
  • Use network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the GeoServer host and analyze for suspicious requests:
  • sudo tcpdump -i eth0 host <geoserver_ip> and port 80 or port 443
  • Review GeoServer logs for unexpected or unauthenticated requests that might indicate SSRF attempts.
Compliance Impact

The vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF), potentially leading to unauthorized network requests and exposure of sensitive data due to improper XML entity resolution.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on data confidentiality and access.

However, the CVE description and resources do not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart