cbcvebase.
CVE-2024-29198
published 2025-06-10

CVE-2024-29198: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request…

PriorityP179high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.92%
77.4th percentile
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
geoservergeoserver
geoservergeoserver
osgeogeoserver>= 2.0.0 < 2.24.42.24.4
osgeogeoserver>= 2.25.0 < 2.25.22.25.2

Detection & IOCsextracted from sources · hover to see the quote

url/geoserver/TestWfsPost
path/geoserver/TestWfsPost
  • Detect SSRF exploitation attempts via HTTP POST requests to the /geoserver/TestWfsPost endpoint with a 'url' parameter pointing to an external or internal host.
  • Alert on HTTP POST requests to /geoserver/TestWfsPost with Content-Type: application/x-www-form-urlencoded containing a 'url=' parameter — this is the SSRF trigger vector.
  • Fingerprint exposed GeoServer instances via Shodan query 'http.title:"geoserver"' or 'server:"geohttpserver"' to identify potentially vulnerable targets.
  • The vulnerability is exploitable without authentication — any unauthenticated HTTP POST to /geoserver/TestWfsPost should be treated as suspicious.
  • ·The SSRF vulnerability via /geoserver/TestWfsPost is only exploitable when 'Proxy Base URL' has NOT been configured in GeoServer. Instances with Proxy Base URL set are not affected.
  • ·The TestWfsPost servlet is fully removed in GeoServer 2.24.4 and 2.25.2; detection rules targeting this path will produce no hits on patched versions (true negatives expected).

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
ghsa8.2HIGH
osv8.2HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.