GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.
References
| Link | Resource |
|---|---|
| https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d | Patch |
| https://github.com/geoserver/geoserver/pull/7406 | Issue Tracking |
| https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72 | Vendor Advisory |
| https://osgeo-org.atlassian.net/browse/GEOS-11297 | Issue Tracking |
Configurations
History
03 Dec 2025, 16:43
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Geoserver
Geoserver geoserver |
|
| CPE | cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* | |
| References | () https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d - Patch | |
| References | () https://github.com/geoserver/geoserver/pull/7406 - Issue Tracking | |
| References | () https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72 - Vendor Advisory | |
| References | () https://osgeo-org.atlassian.net/browse/GEOS-11297 - Issue Tracking |
25 Nov 2025, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-25 22:15
Updated : 2025-12-03 16:43
NVD link : CVE-2025-21621
Mitre link : CVE-2025-21621
CVE.ORG link : CVE-2025-21621
JSON object : View
Products Affected
geoserver
- geoserver
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')