CVE-2025-58175
MediumCVSS 6.5Summary
GeoServer prior to versions 2.26.4 and 2.27.3 may allow an attacker to perform unauthenticated Server-Side Request Forgery (SSRF) using `ENTITY_RESOLUTION_ALLOWLIST`. This requires GeoServer to be configured to use a proxy base URL without a path or ending with a slash.
Risk Assessment
Organizations using the vulnerable version of GeoServer may be exposed to SSRF attacks, potentially leading to the disclosure of sensitive data or unauthorized access to internal systems.
Recommendation
It is recommended to upgrade GeoServer to versions 2.26.4 or 2.27.3. If upgrading is not possible, adding a slash at the end of the proxy URL is advised to mitigate the risk.
Original NVD description (English source)
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.

