GeoServer - SSRF (CVE-2024-29198)
79Exploiting IPs reported
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
CrowdSec analysis
CVE-2024-29198 is a server-side request forgery (SSRF) vulnerability in GeoServer that can be exploited via the Demo request endpoint when the Proxy Base URL is unset. This flaw allows remote attackers to make unauthorized requests from the server, potentially exposing internal network resources or sensitive data. Upgrading to GeoServer versions 2.24.4 or 2.25.2 mitigates this risk by removing the vulnerable servlet.
CrowdSec has been tracking this vulnerability and its exploits since 24th of July 2025.
According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2024-29198 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2024-29198 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2024-29198 is currently experiencing high visibility and active exploitation across the internet.
Attackers exploit this vulnerability by sending POST requests to the /geoserver/testwfspost
endpoint, causing the server to make arbitrary HTTP requests and enabling SSRF attacks.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.