CVE-2025-27505

Description

### Summary It is possible to bypass the default REST API security and access the index page. ### Details The REST API security handles `rest` and its subpaths but not `rest` with an extension (e.g., `rest.html`). ### Impact The REST API index can disclose whether certain extensions are installed. ### Workaround In `${GEOSERVER_DATA_DIR}/security/config.xml`, change the paths for the `rest` filter to `/rest.*,/rest/**` and change the paths for the `gwc` filter to `/gwc/rest.*,/gwc/rest/**` and restart GeoServer. ### References https://osgeo-org.atlassian.net/browse/GEOS-11664 https://osgeo-org.atlassian.net/browse/GEOS-11776 https://github.com/geoserver/geoserver/pull/8170

How to fix CVE-2025-27505

To remediate CVE-2025-27505, upgrade the affected package to a fixed version below.

• —upgrade to 2.26.3 or later
• —upgrade to 2.26.3 or later

Is CVE-2025-27505 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 2.26.0, < 2.26.3
• >= 2.26.0, < 2.26.3

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-27505
• PATCHgithub.com/geoserver/geoserver
• WEBgithub.com/geoserver/geoserver/pull/8170
• WEBgithub.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5
• WEB