CVE-2025-27505: 
Java vulnerability analysis and mitigation

GeoServer, an open source server for sharing and editing geospatial data, was found to contain a security vulnerability identified as CVE-2025-27505. The vulnerability allows attackers to bypass the default REST API security and access the index page. This security flaw exists because the REST API security handles 'rest' and its subpaths but fails to properly handle 'rest' with an extension (e.g., rest.html). The vulnerability was disclosed on June 10, 2025, and affects GeoServer versions prior to 2.26.3 and 2.25.6 (GitHub Advisory).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 5.3 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and has a limited impact on confidentiality with no impact on integrity or availability (GitHub Advisory).

The primary impact of this vulnerability is the potential disclosure of information about installed extensions through the REST API index. This information disclosure could provide attackers with valuable insights about the system configuration (GitHub Advisory).

The vulnerability has been patched in GeoServer versions 2.26.3 and 2.25.6. For users unable to upgrade immediately, a workaround is available: modify the ${GEOSERVERDATADIR}/security/config.xml file to change the paths for the rest filter to /rest.,/rest/* and the paths for the gwc filter to /gwc/rest.,/gwc/rest/*, followed by a GeoServer restart (GitHub Advisory).