CVE-2025-27505

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.25.6 GeoServer versions prior to 2.26.3

Description The issue allows bypassing the default REST API security, enabling access to the index page. This is possible because the REST API security does not handle 'rest' with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed.

Recommendations For versions prior to 2.25.6, update to version 2.25.6 or later. For versions prior to 2.26.3, update to version 2.26.3 or later. As a temporary workaround, in ${GEOSERVER DATA DIR}/security/config.xml, change the paths for the rest filter to /rest.,/rest/** and change the paths for the gwc filter to /gwc/rest.,/gwc/rest/** and restart GeoServer.