CVE-2025-27511 | GeoServer is an open source server that allows users to shar… | CVSS 7.2 HIGH

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.

Metadata

CVE ID: CVE-2025-27511
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2025-02-26 18:11 UTC
Published: 2026-06-18 14:23 UTC
Last updated: 2026-06-18 15:57 UTC
Primary CWE: CWE-502
CWE-502: Deserialization of Untrusted Data
Vendor / Product: geoserver / org.geoserver.extension:gs-db2
Sources: cve.org · NVD

Severity & Metrics

7.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
geoserver	org.geoserver.extension:gs-db2	—	< 2.27.0

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	CWE-502: Deserialization of Untrusted Data
CWE-74	cna	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (4)

https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7 https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7
https://github.com/geoserver/geoserver/releases/tag/2.27.0 https://github.com/geoserver/geoserver/releases/tag/2.27.0
https://nvd.nist.gov/vuln/detail/cve-2023-27867 https://nvd.nist.gov/vuln/detail/cve-2023-27867
https://osgeo-org.atlassian.net/browse/GEOT-7725 https://osgeo-org.atlassian.net/browse/GEOT-7725