CVE-2025-27511
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
Description
## Summary Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE). ## Impact If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code. ## Details Authenticated users can access Vector Data Sources page to creating a new data store through db2 jdbc connection, performing JNDI attack due to unrestricted connection parameters, and then achieve RCE with deserialization of untrusted data. ### Remediation This issue has been fixed in this release: https://github.com/geoserver/geoserver/releases/tag/2.27.0. ## References * https://osgeo-org.atlassian.net/browse/GEOT-7725 * https://nvd.nist.gov/vuln/detail/cve-2023-27867
How to fix CVE-2025-27511
To remediate CVE-2025-27511, upgrade the affected package to a fixed version below.
- —upgrade to 2.27.0 or later
Is CVE-2025-27511 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2025-27511.
Affected packages (1)
- from 0, < 2.27.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |