Moderate severityNVD Advisory· Published Jun 10, 2025· Updated Jun 10, 2025

GeoServer Coverage REST API Allows Server Side Request Forgery

CVE-2024-40625

Description

GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.geoserver:gs-restMaven	< 2.26.0	2.26.0
org.geoserver.web:gs-web-appMaven	< 2.26.0	2.26.0

Affected products

Geoserver/Geoserverv5
Range: < 2.26.0

Patches

8f9b3e407de0

https://github.com/geoserver/geoservervia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r4hf-r8gj-jgw2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-40625ghsaADVISORY
github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2ghsax_refsource_CONFIRMWEB
osgeo-org.atlassian.net/browse/GEOS-11468ghsax_refsource_MISCWEB
osgeo-org.atlassian.net/browse/GEOS-11717ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000