GeoServer - SSRF (CVE-2024-29198)

CVE-2024-29198 is a server-side request forgery (SSRF) vulnerability in GeoServer that can be exploited via the Demo request endpoint when the Proxy Base URL is unset. This flaw allows remote attackers to make unauthorized requests from the server, potentially exposing internal network resources or sensitive data. Upgrading to GeoServer versions 2.24.4 or 2.25.2 mitigates this risk by removing the vulnerable servlet.

CrowdSec has been tracking this vulnerability and its exploits since 24th of July 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2024-29198 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2024-29198 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2024-29198 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending POST requests to the /geoserver/testwfspost endpoint, causing the server to make arbitrary HTTP requests and enabling SSRF attacks.