GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution

GHSA-x4r9-gmw3-hxww · CVE-2025-58175

Published Jun 12, 2026 · Modified Jun 12, 2026

Description

Summary

A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).

Details

This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):

Impact

This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.

Workaround

GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.

Resources

https://osgeo-org.atlassian.net/browse/GEOS-11867
https://github.com/geoserver/geoserver/pull/8622

Credits:

Le Mau Anh Phong at Verichains Cyber Force

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes