GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx

GHSA-68cf-j696-wvv9

Published Jun 10, 2025 · Modified Jun 10, 2025

Description

Summary

Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint.

Mitigation

To manage the proxy base value as a system administrator, use the parameter PROXY_BASE_URL to provide a non-empty value that cannot be overridden by the user interface or incoming request.thomsmith.

Resolution

The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript Demo Requests page to test OGC Web Services.

References

CVE-2024-29198 Unauthenticated SSRF via TestWfsPost

References

WEB https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw
WEB https://github.com/geoserver/geoserver/security/advisories/GHSA-68cf-j696-wvv9
PACKAGE https://github.com/geoserver/geoserver

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes