CVE-2024-40625: Coverage REST API Server Side Request Forgery

June 10, 2025

The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allow to upload file with a specified url (with {method} equals ‘url’) with no restrict.

References

github.com/advisories/GHSA-r4hf-r8gj-jgw2
github.com/geoserver/geoserver
github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2
nvd.nist.gov/vuln/detail/CVE-2024-40625
osgeo-org.atlassian.net/browse/GEOS-11468
osgeo-org.atlassian.net/browse/GEOS-11717

Code Behaviors & Features

Detect and mitigate CVE-2024-40625 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →