CVE-2025-27505
MEDIUM5.3EPSS 0.83%GeoServer Missing Authorization on REST API Index
Published: 6/10/2025Modified: 6/10/2025
Description
### Summary It is possible to bypass the default REST API security and access the index page. ### Details The REST API security handles `rest` and its subpaths but not `rest` with an extension (e.g., `rest.html`). ### Impact The REST API index can disclose whether certain extensions are installed. ### Workaround In `${GEOSERVER_DATA_DIR}/security/config.xml`, change the paths for the `rest` filter to `/rest.*,/rest/**` and change the paths for the `gwc` filter to `/gwc/rest.*,/gwc/rest/**` and restart GeoServer. ### References https://osgeo-org.atlassian.net/browse/GEOS-11664 https://osgeo-org.atlassian.net/browse/GEOS-11776 https://github.com/geoserver/geoserver/pull/8170
Affected packages (2)
- Maven/org.geoserver:gs-rest>= 2.26.0, < 2.26.3
- Maven/org.geoserver.web:gs-web-app>= 2.26.0, < 2.26.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-27505
- PATCHhttps://github.com/geoserver/geoserver
- WEBhttps://github.com/geoserver/geoserver/pull/8170
- WEBhttps://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5
- WEBhttps://osgeo-org.atlassian.net/browse/GEOS-11664
- WEBhttps://osgeo-org.atlassian.net/browse/GEOS-11776