CVE-2025-27511

high

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.

References

https://osgeo-org.atlassian.net/browse/GEOT-7725

https://nvd.nist.gov/vuln/detail/cve-2023-27867

https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7

https://github.com/geoserver/geoserver/releases/tag/2.27.0

Details

Source: Mitre, NVD

Published: 2026-06-18

Updated: 2026-06-24

Risk Information

CVSS v2

Base Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.2

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00361