Vulnerability Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Geoserver | Geoserver | < 2.25.0 |
Related Weaknesses (CWE)
References
- https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19Patch
- https://github.com/geoserver/geoserver/pull/7406Issue Tracking
- https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72Vendor Advisory
- https://osgeo-org.atlassian.net/browse/GEOS-11297Issue Tracking
FAQ
What is CVE-2025-21621?
CVE-2025-21621 is a vulnerability with a CVSS score of 6.1 (MEDIUM). GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo H...
How severe is CVE-2025-21621?
CVE-2025-21621 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-21621?
Check the references section above for vendor advisories and patch information. Affected products include: Geoserver Geoserver.