GeoServer 2.25-RC release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a release candidate intended for public review and feedback. GeoServer 2.25-RC is made in conjunction with GeoTools 31-RC, and GeoWebCache 1.25-RC.

Thanks to Jody Garnett (GeoCat) for making this release.

Why share a release candidate?

A sensible question to ask is why a “release candidate” is being produced at all - when we do not recommend running such a thing in production.

GeoServer also follows a “release early, release often” approach which is where the project shares releases so you can test and provide feedback.

This results in a lovely balance:

  • The GeoServer developer has already tested on the data and data sources they got handy.

  • The users of GeoServer have access to a much greater variety in data and and use cases to test with.

    Please try out this release candidate and let us know how it works for you.

  • Bonus: By testing with your data directory you are assured that the next GeoServer will work well for you and your team.

This balance of a community sharing and each doing what they can they can do easily, is a nice thing about the open-source approach: the result is software we can trust and works well.

Thank you for being part of the GeoServer community. Testing and feedback is welcome by email and bug reports.

Upgrade Notes

We have a number of configuration changes when updating an existing system:

  • The longstanding ENTITY_RESOLUTION_ALLOWLIST setting has been recommended as a way to control the locations available for external entity resolution when parsing XML documents and requests.

    The default has changed from * (allowing any location) to allowing the recommended,, locations used for OGC Web Services, along with the location used by our friends in Europe.

  • The FreeMarker Template HTML Auto-escaping is now enabled by default.

  • The spring security firewall is now enabled by default.

  • A new configuration setting is available to limit content served from the geoserver/www folder.

    If you have not met the www folder before it is used to share content, and there is a tutorial serving static files.

  • We do add recommendations to production considerations over time, if you have not checked that page in a while please review.

Thanks to Steve Ikeoka and Jody Garnett for these improvements.

Security Considerations

This a reminder to update to GeoServer 2.24.2 Release (or GeoServer 2.35.5 Release).

Alongside the upcoming GeoServer 2.25.0 release we will “publicly disclose” a list of Common Vulnerabilities and Exposures that have been addressed previously.

  • If you are working with a commercial support provider that volunteers with the geoserver-security email list they are already informed.
  • If you have updated to GeoServer 2.24.2 Release (or GeoServer 2.23.5 Release) you are already patched.

I hope you enjoy our team’s effort to improve communication. The use of the CVE system allows us to reach a wider audience than reads these blog posts.

See the project security policy for more information on how security vulnerabilities are managed.

Experimental Java 21 support

GeoServer, along with GeoTools and GeoWebCache, are now tested to build and pass tests with Java 21.

This is not yet an endorsement to run GeoServer in production with Java 21. We are looking ahead at the 2024 roadmap, and are making sure the basics are covered for the newer Java releases.

JTS fast polygon intersection enabled by default

The JTS Next Generation polygon intersection algorithm has been enabled by default, which will improve performance of a number of operations, including WPS processes and the vector tiles generation. We deem the functionality well tested enough that it should be opened to the majority of users, even if it’s still possible to turn it off by adding the -Djts.overlay=old.

MapML Extension

The MapML extension is receiving a number of updates and improvements, with more to come in the following months. It’s now possible to declare “Tiled CRS” as the CRS for a layer, with the implication not just of the CRS, but also of the gridset that will be used by the MapML viewer:

This portion builds on top of the work done months ago to support astronomical CRSs, which allows GeoServer to support multiple CRS authorities.

The MapML preview links are now using the new MapML output format, while the old dedicated REST controller has been removed. This allows for better integration of the MapML format in the GeoServer ecosystem. The MapML viewer has also been updated to the latest version:

Thanks to Joseph Miller and Andrea Aime (GeoSolutions) for this work, and Natural Resources Canada for sponsoring it.

Community Module Updates

Much of the new activity in GeoServer starts as a community module. We’d like to remind you that these modules are not yet supported, and invite you to join the effort by participating in their development, as well as testing them and providing feedback.

Raster attribute Table community module

Developed as part of GEOS-11175, the Raster Attribute Table community module uses the GDAL Raster Attribute Table (RAT) to provide a way to associate attribute information for individual pixel values within the raster, to create styles as well as to provide a richer GetFeatureInfo output.

For more information see the user guide.

We’d like to thank Andrea Aime (GeoSolutions) for the development and NOAA for sponsoring.

Graticules for WMS maps

The graticules community module, developed as part of GEOS-11216, provides a datastore generating graticules for WMS maps, along with a rendering transformation that can be used to label them. The module can be used to draw a graticule in WMS maps, as well as to download them as part of WFS (or in combination with the WPS download module).

We’d like to thank Ian Turton for development and GeoSolutions for sponsoring the work.

GeoServer monitor Kafka storage

The monitoring Kafka storage module, developed as part of GEOS-11150, allows storing the requests captured by the monitoring extension into a Kafka topic.

We’d like to thank Simon Hofer for sharing his work with the community. To learn more about the module, how to install and use it, see the user-guide.

JWT Headers

The JWT headers module has been developed as part of GEOS-11317.

The module is a new authentication filter that can read JWT Headers, as well as general JSON payloads and simple strings, to identify a user, as well as to extract their roles. The combination of Apache mod_auth_openidc with geoserver-jwt-headers-plugin provides an alternative to using the geoserver-sec-oauth2-openid-connect-plugin plugin.

We’d like to thank David Blasby (GeoCat) for this work on this module.

Full Release notes

New Feature:

  • GEOS-11225 [AuthKey] AuthKey synchronize the user/group automatically


  • GEOS-10438 ENTITY_RESOLUTION_ALLOWLIST property not parsing empty setting
  • GEOS-11207 Refactor MapML MVC controller as GetMap-based operation with standard parameter format
  • GEOS-11221 mkdocs preflight rst fixes
  • GEOS-11289 Enable Spring Security StrictHttpFirewall by default
  • GEOS-11297 Escape WMS GetFeatureInfo HTML output by default
  • GEOS-11300 Centralize access to static web files


  • GEOS-11306 Java 17 does not support GetFeature lazy JDBC count(*)
  • GEOS-11130 Sort parent role dropdown in Add a new role
  • GEOS-11142 Add mime type mapping for yaml files
  • GEOS-11148 Update response headers for the Resources REST API
  • GEOS-11149 Update response headers for the Style Publisher
  • GEOS-11152 Improve handling special characters in the Simple SVG Renderer
  • GEOS-11153 Improve handling special characters in the WMS OpenLayers Format
  • GEOS-11155 Add the X-Content-Type-Options header
  • GEOS-11173 Default to using HttpOnly session cookies
  • GEOS-11176 Add validation to file wrapper resource paths
  • GEOS-11213 Improve REST external upload method unzipping
  • GEOS-11222 Include Conformance Class for “Search” from OGC API - Features Part 5 proposal
  • GEOS-11226 Enable JTS OverlayNG by default
  • GEOS-11246 Schemaless plugin performance for WFS
  • GEOS-11247 Avoid HTML annotations special status in APIBodyProcessor
  • GEOS-11248 Move version header handling from APIBodyMethodProcessor to APIDispatcher
  • GEOS-11260 JNDI tutorial uses outdated syntax
  • GEOS-11288 Improve input validation in ClasspathPublisher
  • GEOS-11289 Enable Spring Security StrictHttpFirewall by default
  • GEOS-11298 When a Raster Attribute Table is available, expose its attributes in GetFeatureInfo


  • GEOS-11050 jdbc-store broken by changes to Paths.names
  • GEOS-11051 Env parametrization does not save correctly in AuthKey extension
  • GEOS-11145 The GUI “wait spinner” is not visible any longer
  • GEOS-11182 Avoid legends with duplicated entries
  • GEOS-11187 Configuring a raster with NaN as NODATA results in two NaN in the nodata band description
  • GEOS-11190 GeoFence: align log4j2 deps
  • GEOS-11203 WMS GetFeatureInfo bad WKT exception for label-geometry
  • GEOS-11224 Platform independent binary doesn’t start properly with default data directory
  • GEOS-11250 WFS GeoJSON encoder fails with an exception if an infinity number is used in the geometry
  • GEOS-11278 metadata: only selected tab is submitted
  • GEOS-11312 Used memory calculation fix on legend WMS request


Community module development:

  • GEOS-11305 Add layer information in the models backing STAC
  • GEOS-11146 Fix MBTiles output format test
  • GEOS-11184 ncwms module has a compile dependency on gs-web-core test jar
  • GEOS-11209 Open ID Connect Proof Key of Code Exchange (PKCE)
  • GEOS-11212 OIDC accessToken verification using only JWKs URI
  • GEOS-11219 Upgraded mail and activation libraries for SMTP compatibility
  • GEOS-11293 Improve performance of wps-lontigudinal-profile

About GeoServer 2.25 Series

Additional information on GeoServer 2.25 series:

Release notes: ( 2.25-RC )