GHSA-68cf-j696-wvv9: 
Java vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability (GHSA-68cf-j696-wvv9, CVE-2024-29198) was identified in GeoServer's TestWfsPost endpoint. The vulnerability affects GeoServer versions >= 1.0.0 and < 2.24.4, as well as versions >= 2.25.0 and < 2.25.2. This high-severity issue was discovered and published on June 10, 2025, allowing unauthenticated users to perform SSRF attacks (GitHub Advisory, Wiz Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: None, Availability: None. The vulnerability is classified under CWE-918. The issue stems from missing checks in the TestWfsPost endpoint, which can be exploited without authentication (GitHub Advisory).

The vulnerability allows unauthenticated users to issue server-side requests that can be used to enumerate internal networks. In cloud instances, this can lead to the exposure of sensitive data. The primary impact is on confidentiality, with potential access to internal network resources and sensitive information (GeoServer Advisory).

System administrators can mitigate this vulnerability by setting the PROXYBASEURL parameter with a non-empty value that cannot be overridden by the user interface or incoming requests. For systems using GeoServer directly without a proxy, access to TestWfsPost can be blocked by editing the web.xml file. The permanent fix is available in GeoServer versions 2.24.4 and 2.25.2, where TestWfsPost has been replaced with a JavaScript Demo Requests page for testing OGC Web Services (GeoServer Advisory).