CVE-2025-52465: CWE-73: External Control of File Name or Path in geoserver org.geoserver.web:gs-web-app
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist. Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.
AI Analysis
Technical Summary
CVE-2025-52465 is an external control of file name or path vulnerability (CWE-73) in GeoServer's gs-web-app component. An authenticated administrator with access to the security system can supply arbitrary absolute file paths to the Master Password Dump web page, causing files containing the master password in plaintext to be created at those locations. The vulnerability requires that the target file does not already exist and that all parent directories exist. This issue affects GeoServer versions prior to 2.26.4 and 2.27.3, where it has been fixed. Systems without the web interface are not vulnerable.
Potential Impact
An attacker with authenticated administrator privileges can create files containing the master password in plaintext at arbitrary absolute paths on the server. This compromises the confidentiality of the master password, potentially allowing further unauthorized access or privilege escalation. The vulnerability has a CVSS 3.1 score of 7.2 (high severity), reflecting its significant impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade GeoServer to version 2.26.4 or 2.27.3 or later, where this vulnerability is fixed. If the GeoServer web interface is disabled or removed, the vulnerability does not apply. No other mitigations are specified. Patch status is not explicitly stated in the vendor advisory, but fixed versions are provided and should be applied.
CVE-2025-52465: CWE-73: External Control of File Name or Path in geoserver org.geoserver.web:gs-web-app
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist. Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.
CVSS v3.1
Score 7.2high
Affected software
pkg:maven/org.geoserver.web/gs-web-appRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-52465 is an external control of file name or path vulnerability (CWE-73) in GeoServer's gs-web-app component. An authenticated administrator with access to the security system can supply arbitrary absolute file paths to the Master Password Dump web page, causing files containing the master password in plaintext to be created at those locations. The vulnerability requires that the target file does not already exist and that all parent directories exist. This issue affects GeoServer versions prior to 2.26.4 and 2.27.3, where it has been fixed. Systems without the web interface are not vulnerable.
Potential Impact
An attacker with authenticated administrator privileges can create files containing the master password in plaintext at arbitrary absolute paths on the server. This compromises the confidentiality of the master password, potentially allowing further unauthorized access or privilege escalation. The vulnerability has a CVSS 3.1 score of 7.2 (high severity), reflecting its significant impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade GeoServer to version 2.26.4 or 2.27.3 or later, where this vulnerability is fixed. If the GeoServer web interface is disabled or removed, the vulnerability does not apply. No other mitigations are specified. Patch status is not explicitly stated in the vendor advisory, but fixed versions are provided and should be applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-17T02:28:39.716Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a340cacf198dc38c105916b
Added to database: 6/18/2026, 3:20:12 PM
Last enriched: 6/18/2026, 3:36:35 PM
Last updated: 6/19/2026, 2:12:41 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.