GeoServer - SSRF (CVE-2024-29198)

CVE-2024-29198 is a server-side request forgery (SSRF) vulnerability in GeoServer that can be exploited via the Demo request endpoint when the Proxy Base URL is unset. This flaw allows remote attackers to make unauthorized requests from the server, potentially exposing internal network resources or sensitive data. Upgrading to GeoServer versions 2.24.4 or 2.25.2 mitigates this risk by removing the vulnerable servlet.

CrowdSec has been tracking this vulnerability and its exploits since 24th of July 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2024-29198 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2024-29198. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit this vulnerability by sending POST requests to the /geoserver/testwfspost endpoint, causing the server to make arbitrary HTTP requests and enabling SSRF attacks.