CVE-2025-58175— GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| geoserver | org.geoserver:gs-main | < 2.26.4 | affected |
>= 2.27.0, < 2.27.3 | affected | ||
| geoserver | org.geoserver.web:gs-web-app | < 2.26.4 | affected |
>= 2.27.0, < 2.27.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-58175
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
Source: NVD (National Vulnerability Database)
Vulnerability Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| geoserver | org.geoserver.web:gs-web-app | < 2.26.4 | - | |
| geoserver | org.geoserver:gs-main | < 2.26.4 | - |
II. Public POCs for CVE-2025-58175
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-58175
请登录查看更多情报信息。
Patches & Fixes for CVE-2025-58175 (1)
Vendor Advisories for CVE-2025-58175 (1)
Other References for CVE-2025-58175 (1)
- https://osgeo-org.atlassian.net/browse/GEOS-11867x_refsource_MISC
Same Patch Batch · geoserver · 2026-06-18 · 3 CVEs total
| CVE-2025-52465 | 7.2 HIGH | GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page |
| CVE-2025-27511 | 7.2 HIGH | GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection |
IV. Related Vulnerabilities
Same vendor: geoserver
- CVE-2025-52465
GeoServer has an arbitrary file write vulnerability in its M - CVE-2025-27511
GeoServer DB2 DataStore Extension has a JNDI Vulnerability v - CVE-2025-21621
GeoServer Reflected Cross-Site Scripting (XSS) vulnerability - CVE-2025-58360
GeoServer is vulnerable to an Unauthenticated XML External E - CVE-2025-30220
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE
Same weakness: CWE-20
- CVE-2026-48774
ProxySQL MCP run_sql_readonly executes side-effecting MySQL - CVE-2026-21768
HCL Verse for Android is susceptible to an injection vulnera - CVE-2026-39998
Apache APISIX: Identity Injection via forward-auth Plugin Mi - CVE-2026-12569
Remote Code Execution (RCE) vulnerability in Windchill PDMli - CVE-2026-50196
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name
V. Comments for CVE-2025-58175
No comments yet