CVE-2025-58175 geoserver CVE debrief

Who should care

GeoServer administrators and users who have set up a proxy base URL without a URL path or ending with a slash should be aware of this vulnerability. Additionally, security teams and IT professionals responsible for geospatial data servers should take note of this CVE and assess their systems for potential exposure.

Technical summary

CVE-2025-58175 is a Server-Side Request Forgery (SSRF) vulnerability in GeoServer that can be exploited without authentication. The vulnerability arises when GeoServer is configured to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST feature is enabled. This feature is enabled by default since version 2.25.0. The vulnerability can be mitigated by adding a slash to the end of the proxy base URL. The issue is addressed in versions 2.26.4 and 2.27.3.

Defensive priority

Medium

Recommended defensive actions

• Update GeoServer to version 2.26.4 or 2.27.3
• Add a slash to the end of the proxy base URL if it does not contain a URL path
• Review and adjust ENTITY_RESOLUTION_ALLOWLIST settings
• Monitor GeoServer installations for suspicious activity
• Implement additional security measures to prevent SSRF attacks

Evidence notes

The CVE-2025-58175 vulnerability is based on information from the NVD and GeoServer security advisories. The vulnerability requires specific configurations, including the use of a proxy base URL and ENTITY_RESOLUTION_ALLOWLIST. The issue is addressed in versions 2.26.4 and 2.27.3.

Official resources