CrowdSec
8/10CrowdSec Score

GeoServer - SSRF (CVE-2024-29198)

Published on10-06-2025
First seen on31-07-2025

79Exploiting IPs reported

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

CrowdSec analysis

CVE-2024-29198 is a server-side request forgery (SSRF) vulnerability in GeoServer that can be exploited via the Demo request endpoint when the Proxy Base URL is unset. This flaw allows remote attackers to make unauthorized requests from the server, potentially exposing internal network resources or sensitive data. Upgrading to GeoServer versions 2.24.4 or 2.25.2 mitigates this risk by removing the vulnerable servlet.

CrowdSec has been tracking this vulnerability and its exploits since 24th of July 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2024-29198 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2024-29198 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2024-29198 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending POST requests to the /geoserver/testwfspost endpoint, causing the server to make arbitrary HTTP requests and enabling SSRF attacks.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.