GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

GHSA-g628-r368-6vh7 · CVE-2025-27511

Published Jun 11, 2026 · Modified Jun 11, 2026

Description

Summary

Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE).

Impact

If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code.

Details

Authenticated users can access Vector Data Sources page to creating a new data store through db2 jdbc connection, performing JNDI attack due to unrestricted connection parameters, and then achieve RCE with deserialization of untrusted data.

Remediation

This issue has been fixed in this release: https://github.com/geoserver/geoserver/releases/tag/2.27.0.

References

https://osgeo-org.atlassian.net/browse/GEOT-7725
https://nvd.nist.gov/vuln/detail/cve-2023-27867

References

WEB https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7
PACKAGE https://github.com/geoserver/geoserver
WEB https://github.com/geoserver/geoserver/releases/tag/2.27.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes