CVE-2025-21621

MEDIUM EPSS 16.4%
Published Nov 25, 20257mo ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Nov 25, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
16.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
geoservergeoserver* <2.25.0

References 4

  • github.com https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d
    Patch
  • github.com https://github.com/geoserver/geoserver/pull/7406
    Issue Tracking
  • github.com https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72
    Vendor Advisory
  • osgeo-org.atlassian.net https://osgeo-org.atlassian.net/browse/GEOS-11297
    Issue Tracking

Remediation

  • github.com https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d
    Patch