CVE-2024-29198: CWE-918: Server-Side Request Forgery (SSRF) in geoserver geoserver
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
AI Analysis
Technical Summary
CVE-2024-29198 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting GeoServer, an open-source Java-based server used for sharing and editing geospatial data. The vulnerability exists in the Demo request endpoint when the Proxy Base URL configuration is not set. An attacker can exploit this flaw to make the GeoServer instance send crafted HTTP requests to internal or external systems on behalf of the server, potentially accessing internal resources that are otherwise inaccessible from the outside. This SSRF vulnerability arises from improper validation and control of URLs that the server requests internally. The affected versions include GeoServer releases from 2.0.0 up to but not including 2.24.4, and from 2.25.0 up to but not including 2.25.2. The issue is resolved by upgrading to GeoServer 2.24.4 or 2.25.2, which remove the vulnerable TestWfsPost servlet responsible for this behavior. The CVSS v3.1 base score is 7.5, reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild. This vulnerability is classified under CWE-918, which covers SSRF issues where an attacker can abuse server functionality to induce the server to make HTTP requests to arbitrary domains, including internal networks.
Potential Impact
For European organizations, the impact of this SSRF vulnerability in GeoServer can be significant, especially for entities relying on geospatial data services such as government agencies, urban planning departments, environmental monitoring organizations, and private companies in sectors like transportation, utilities, and telecommunications. Exploiting this vulnerability could allow attackers to access sensitive internal network resources, potentially exposing confidential geospatial data or other internal services. This could lead to unauthorized data disclosure, reconnaissance for further attacks, or pivoting deeper into the network. Since GeoServer is often deployed in environments with sensitive or critical infrastructure data, the confidentiality breach could have regulatory and operational consequences. Additionally, the lack of required authentication and user interaction increases the risk of automated exploitation attempts. Although no active exploits are known yet, the widespread use of GeoServer in Europe and the high severity score suggest that organizations should prioritize remediation to avoid potential future attacks.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should immediately upgrade affected GeoServer instances to versions 2.24.4 or 2.25.2 or later, which remove the vulnerable TestWfsPost servlet. If upgrading is not immediately feasible, organizations should disable or restrict access to the Demo request endpoint and the TestWfsPost servlet to trusted internal networks only. Additionally, setting the Proxy Base URL configuration properly can prevent SSRF exploitation by restricting the URLs GeoServer can access internally. Network-level controls such as firewall rules should be implemented to limit outbound HTTP requests from the GeoServer host to only necessary destinations. Monitoring and logging HTTP requests originating from GeoServer can help detect suspicious activity. Finally, organizations should review their internal network segmentation and access controls to minimize the impact of any potential SSRF exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Finland
CVE-2024-29198: CWE-918: Server-Side Request Forgery (SSRF) in geoserver geoserver
Description
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
AI-Powered Analysis
Technical Analysis
CVE-2024-29198 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting GeoServer, an open-source Java-based server used for sharing and editing geospatial data. The vulnerability exists in the Demo request endpoint when the Proxy Base URL configuration is not set. An attacker can exploit this flaw to make the GeoServer instance send crafted HTTP requests to internal or external systems on behalf of the server, potentially accessing internal resources that are otherwise inaccessible from the outside. This SSRF vulnerability arises from improper validation and control of URLs that the server requests internally. The affected versions include GeoServer releases from 2.0.0 up to but not including 2.24.4, and from 2.25.0 up to but not including 2.25.2. The issue is resolved by upgrading to GeoServer 2.24.4 or 2.25.2, which remove the vulnerable TestWfsPost servlet responsible for this behavior. The CVSS v3.1 base score is 7.5, reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild. This vulnerability is classified under CWE-918, which covers SSRF issues where an attacker can abuse server functionality to induce the server to make HTTP requests to arbitrary domains, including internal networks.
Potential Impact
For European organizations, the impact of this SSRF vulnerability in GeoServer can be significant, especially for entities relying on geospatial data services such as government agencies, urban planning departments, environmental monitoring organizations, and private companies in sectors like transportation, utilities, and telecommunications. Exploiting this vulnerability could allow attackers to access sensitive internal network resources, potentially exposing confidential geospatial data or other internal services. This could lead to unauthorized data disclosure, reconnaissance for further attacks, or pivoting deeper into the network. Since GeoServer is often deployed in environments with sensitive or critical infrastructure data, the confidentiality breach could have regulatory and operational consequences. Additionally, the lack of required authentication and user interaction increases the risk of automated exploitation attempts. Although no active exploits are known yet, the widespread use of GeoServer in Europe and the high severity score suggest that organizations should prioritize remediation to avoid potential future attacks.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should immediately upgrade affected GeoServer instances to versions 2.24.4 or 2.25.2 or later, which remove the vulnerable TestWfsPost servlet. If upgrading is not immediately feasible, organizations should disable or restrict access to the Demo request endpoint and the TestWfsPost servlet to trusted internal networks only. Additionally, setting the Proxy Base URL configuration properly can prevent SSRF exploitation by restricting the URLs GeoServer can access internally. Network-level controls such as firewall rules should be implemented to limit outbound HTTP requests from the GeoServer host to only necessary destinations. Monitoring and logging HTTP requests originating from GeoServer can help detect suspicious activity. Finally, organizations should review their internal network segmentation and access controls to minimize the impact of any potential SSRF exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2024-03-18T17:07:00.095Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f561b0bd07c3938a482
Added to database: 6/10/2025, 6:54:14 PM
Last enriched: 7/11/2025, 3:20:29 AM
Last updated: 8/15/2025, 1:53:04 PM
Views: 19
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.