SCA: security update for org.geoserver.web:gs-web-app, org.geoserver:gs-main (GHSA-x4r9-gmw3-hxww)

high Tenable Cloud Security Plugin ID 443116

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions
2.26.4 and 2.27.3, a GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform
unauthenticated Server-Side Request Forgery (SSRF). This vulnerability requires that GeoServer is set up
to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST` (default since 2.25.0). Versions 2.26.4 and
2.27.3 contain a fix. GeoServer installations are only affected by this vulnerability if they use a proxy
base URL that does not contain a URL path or end with a slash. If the proxy base URL does not contain a
path, adding a slash to the end of the URL will mitigate this vulnerability. (CVE-2025-58175)

Solution

Update the org.geoserver.web:gs-web-app library and its related packages to version 2.26.4 or later.

See Also

https://github.com/advisories/GHSA-x4r9-gmw3-hxww

Plugin Details

Severity: High

ID: 443116

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 6/12/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 52.03

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:P

CVSS Score Source: CVE-2025-58175

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/12/2026

Vulnerability Publication Date: 6/12/2026

Reference Information

CVE: CVE-2025-58175