CVE-2024-40625 – This vulnerability in GeoServer allows attacker... (How to Fix)

Q: What is the severity of CVE-2024-40625?

CVE-2024-40625 has a CVSS score of 5.5 (MEDIUM). This vulnerability in GeoServer allows attackers to upload arbitrary files via the Coverage REST API without proper URL validation. Attackers can exploit this to upload malicious files to the server. All GeoServer instances with the Coverage REST API enabled are affected.

📋 TL;DR

This vulnerability in GeoServer allows attackers to upload arbitrary files via the Coverage REST API without proper URL validation. Attackers can exploit this to upload malicious files to the server. All GeoServer instances with the Coverage REST API enabled are affected.

💻 Affected Systems

Products:

GeoServer

Versions: All versions before 2.26.0

Operating Systems: All operating systems running GeoServer

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Coverage REST API to be enabled and accessible.

📦 What is this software?

Geoserver by Osgeo

View all CVEs affecting Geoserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through uploaded malicious files, complete server compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

File system manipulation, denial of service by filling disk space, or serving malicious content from the server.

🟢

If Mitigated

Limited impact with proper network segmentation and file upload restrictions, potentially only minor configuration changes.

🌐 Internet-Facing: HIGH - Directly exposed API endpoint allows unauthenticated file uploads from external attackers.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access and reduces external threat surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required, no authentication needed for the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.26.0

Vendor Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2

Restart Required: Yes

Instructions:

1. Download GeoServer 2.26.0 or later from the official website. 2. Backup your current GeoServer configuration and data. 3. Stop the GeoServer service. 4. Replace the existing installation with the new version. 5. Restore your configuration and data. 6. Start the GeoServer service.

🔧 Temporary Workarounds

Disable Coverage REST API

all

Disable the vulnerable REST API endpoint if not required.

Edit web.xml or application configuration to remove/disable coverage REST endpoints

Network Access Control

linux

Restrict network access to the GeoServer instance using firewall rules.

iptables -A INPUT -p tcp --dport 8080 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate GeoServer from untrusted networks
Deploy a web application firewall (WAF) with rules to block malicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check if GeoServer version is below 2.26.0 and if the Coverage REST API endpoint is accessible.

Check Version:

Check the GeoServer web interface status page or examine server startup logs for version information.

Verify Fix Applied:

Verify GeoServer version is 2.26.0 or higher and test the vulnerable endpoint with controlled payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload requests to /workspaces/*/coveragestores/*/url.*
Large or unexpected file creations in GeoServer data directories

Network Indicators:

HTTP POST requests to coverage REST endpoints with external URLs in payload
Unusual outbound connections from GeoServer to external domains

SIEM Query:

source="geoserver" AND (uri_path="/workspaces/*/coveragestores/*/url.*" OR method="POST" AND uri_path CONTAINS "coveragestores")

📊 Metadata

CVE ID: CVE-2024-40625

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L

CWE: CWE-918

EPSS Score: 0.04% exploit probability (12.6th percentile)

Published: June 10, 2025

Last Updated: August 26, 2025

🔗 References

https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2 Third Party Advisory
https://osgeo-org.atlassian.net/browse/GEOS-11468 Issue Tracking,Patch
https://osgeo-org.atlassian.net/browse/GEOS-11717 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40625, you might also want to check these: