What is CVE-2025-27505?

CVE-2025-27505 is a medium-severity vulnerability in Geoserver, classified under Missing Authorization. CVSS score: 5.3/10. Published 2025-06-10.

How severe is CVE-2025-27505?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Auth bypass in Geoserver

CVE-2025-27505

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with…

Vulnerability class: Broken Access Control

EPSS: 0.009 (76.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Geoserver — versions >= 2.26.0, < 2.26.3, < 2.25.6

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5 (x_refsource_CONFIRM)
https://github.com/geoserver/geoserver/pull/8170 (x_refsource_MISC)
https://osgeo-org.atlassian.net/browse/GEOS-11664 (x_refsource_MISC)
https://osgeo-org.atlassian.net/browse/GEOS-11776 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-27505?: CVE-2025-27505 is a medium-severity vulnerability in Geoserver, classified under Missing Authorization. CVSS score: 5.3/10. Published 2025-06-10.
How severe is CVE-2025-27505?: Medium severity. CVSS v3 base score is 5.3 out of 10.