CVE-2024-29198: 
Java vulnerability analysis and mitigation

GeoServer, an open source software server written in Java that allows users to share and edit geospatial data, is affected by a Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-29198). The vulnerability was disclosed on June 10, 2025, affecting versions prior to 2.24.4 and 2.25.2. The issue exists in the Demo request endpoint when the Proxy Base URL is not configured (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and allows unauthenticated users to achieve SSRF through the TestWfsPost servlet in the Demo request endpoint (GitHub Advisory, Wiz).

When exploited, this vulnerability enables attackers to enumerate internal networks and, in cloud instances, can be leveraged to obtain sensitive data. The vulnerability primarily affects the confidentiality of the system, with potential access to internal network resources (GitHub Advisory, Wiz).

Two mitigation options are available: 1) When using GeoServer with a proxy, administrators should manage the proxy base value using the PROXYBASEURL application property, ensuring a non-empty value that cannot be overridden by the user interface or incoming requests. 2) For direct GeoServer usage without a proxy, block all access to TestWfsPost by editing the web.xml file. The permanent fix is to upgrade to GeoServer versions 2.24.4 or 2.25.2, which remove the TestWfsPost servlet and implement the demo request page functionality directly in the browser (GitHub Advisory).