CVE-2024-29198
published 2025-06-10CVE-2024-29198: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request…
PriorityP179high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.92%
77.4th percentile
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | — | — |
| geoserver | geoserver | — | — |
| osgeo | geoserver | >= 2.0.0 < 2.24.4 | 2.24.4 |
| osgeo | geoserver | >= 2.25.0 < 2.25.2 | 2.25.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSRF exploitation attempts via HTTP POST requests to the /geoserver/TestWfsPost endpoint with a 'url' parameter pointing to an external or internal host. ↗
- →Alert on HTTP POST requests to /geoserver/TestWfsPost with Content-Type: application/x-www-form-urlencoded containing a 'url=' parameter — this is the SSRF trigger vector. ↗
- →Fingerprint exposed GeoServer instances via Shodan query 'http.title:"geoserver"' or 'server:"geohttpserver"' to identify potentially vulnerable targets. ↗
- →The vulnerability is exploitable without authentication — any unauthenticated HTTP POST to /geoserver/TestWfsPost should be treated as suspicious. ↗
- ·The SSRF vulnerability via /geoserver/TestWfsPost is only exploitable when 'Proxy Base URL' has NOT been configured in GeoServer. Instances with Proxy Base URL set are not affected. ↗
- ·The TestWfsPost servlet is fully removed in GeoServer 2.24.4 and 2.25.2; detection rules targeting this path will produce no hits on patched versions (true negatives expected). ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
ghsa8.2HIGH
osv8.2HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
osv·2025-06-10·CVSS 7.5
CVE-2024-29198 [HIGH] GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
### Summary
It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set.
### Details
A unauthenticated user can supply a request that will be issued by the server. This can be used to enumerate internal networks and also in the case of cloud instances can be used to obtain sensitive data.
### Mitigation
1. When using GeoServer with a proxy, manage the proxy base value as a system administrator, use the application property ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.
2. When using GeoServer directly without a proxy, block all access to TestWfsPost by editing the web.xml file. Adding this b
GHSA
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
ghsa·2025-06-10·CVSS 7.5
CVE-2024-29198 [HIGH] CWE-918 GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
### Summary
It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set.
### Details
A unauthenticated user can supply a request that will be issued by the server. This can be used to enumerate internal networks and also in the case of cloud instances can be used to obtain sensitive data.
### Mitigation
1. When using GeoServer with a proxy, manage the proxy base value as a system administrator, use the application property ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.
2. When using GeoServer directly without a proxy, block all access to TestWfsPost by editing the web.xml file. Adding this b
GHSA
GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
ghsa·2025-06-10·CVSS 8.2
[HIGH] CWE-918 GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
### Summary
Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint.
### Mitigation
To manage the proxy base value as a system administrator, use the parameter ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.[thomsmith](https://github.com/thomsmith).
### Resolution
The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript [Demo Requests](https://docs.geoserver.org/latest/en/user/configuration/demos/index.html#demo-requests) page to test OGC Web Services.
### References
* [CVE-2024-29198](https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw) Unauthent
OSV
GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
osv·2025-06-10·CVSS 8.2
[HIGH] GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
### Summary
Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint.
### Mitigation
To manage the proxy base value as a system administrator, use the parameter ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.[thomsmith](https://github.com/thomsmith).
### Resolution
The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript [Demo Requests](https://docs.geoserver.org/latest/en/user/configuration/demos/index.html#demo-requests) page to test OGC Web Services.
### References
* [CVE-2024-29198](https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw) Unauthent
VulnCheck
OSGeo GeoServer Server-Side Request Forgery (SSRF)
vulncheck·2024·CVSS 7.5
CVE-2024-29198 [HIGH] OSGeo GeoServer Server-Side Request Forgery (SSRF)
OSGeo GeoServer Server-Side Request Forgery (SSRF)
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
Affected: OSGeo GeoServer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-29198
No detection rules found.
Nuclei
GeoServer Demo Request Endpoint - Server Side Request Forgery
nuclei·CVSS 8.2
CVE-2024-29198 [HIGH] GeoServer Demo Request Endpoint - Server Side Request Forgery
GeoServer Demo Request Endpoint - Server Side Request Forgery
It is possible to achieve Server Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. An unauthenticated user can supply a request that will be issued by the server, allowing enumeration of internal networks and, in the case of cloud instances, access to sensitive data.
Template:
id: CVE-2024-29198
info:
name: GeoServer Demo Request Endpoint - Server Side Request Forgery
author: iamnoooob,pdresearch
severity: high
description: |
It is possible to achieve Server Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. An unauthenticated user can supply a request that will be issued by the server, allowing enumeration of internal networks and, in the
No writeups or analysis indexed.
2025-06-10
Published
Exploited in the wild