GeoServer 2.23.2 release is now available with downloads ( bin, war, windows) , along with docs and extensions.

This is a stable release of GeoServer recommended production use. GeoServer is made in conjunction with GeoTools 29.2, and GeoWebCache 1.23.1.

Thanks to Ian Turton for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

  • CVE-2023-43795 WPS Server Side Request Forgery
  • CVE-2023-41339 Unsecured WMS dynamic styling sld=url parameter affords blind unauthenticated SSRF
  • CVE-2024-23643 Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form (Moderate).

2024-06-30 Update: The following mitigation has been provided:

  • CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical) (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

New Security > URL Checks page

This release adds a new Check URL facility under the Security menu. This allows administrators to manage OGC Service use of external resources.

URL Checks

For information and examples on how to use the URL Check page, visit user guide documentation.

Release notes

New Feature:

  • GEOS-10949 Control remote resources accessed by GeoServer
  • GEOS-10992 Make GWC UI for disk quota expose HSQLDB, remove H2, automatically update existing installations



  • GEOS-10874 Log4J: Windows binary zip release file with log4j-1.2.14.jar
  • GEOS-10875 Disk Quota JDBC password shown in plaintext
  • GEOS-10901 GetCapabilities lists the same style multiple times when used as both a default and alternate style
  • GEOS-10903 WMS filtering with Filter 2.0 fails
  • GEOS-10906 Authentication not sent if connection pooling activated
  • GEOS-10932 csw-iso: should only add ‘xsi:nil = false’ attribute
  • GEOS-10936 YSLD and OGC API modules are incompatible
  • GEOS-10964 Support virtual services for OSEO/STAC
  • GEOS-10980 CSS extension lacks ASM JARs as of 2.23.0, stops rendering layer when style references a file
  • GEOS-10981 Slow CSW GetRecords requests with JDBC Configuration
  • GEOS-10982 Wicket bug when trying to add new Vector Attribute (build 2.23 on Tomcat/Windows)
  • GEOS-10993 Disabled resources can cause incorrect CSW GetRecords response
  • GEOS-10994 OOM due to too many dimensions when range requested
  • GEOS-10997 GetCapabilities broken when using Data Security Layer groups
  • GEOS-10998 LayerGroupContainmentCache is being rebuilt on each ApplicationEvent
  • GEOS-11015 geopackage wfs output builds up tmp files over time
  • GEOS-11024 metadata: add datetime field type to feature catalog
  • GEOS-11025 projection parameter takes no effect on MongoDB Schemaless features WFS requests
  • GEOS-11026 ClassNotFoundException: org.h2.driver on shutdown
  • GEOS-11033 WCS DescribeCoverage ReferencedEnvelope with null crs
  • GEOS-11035 Enabling OSEO from Workspace Edit Page Results in an NPE
  • GEOS-11036 The OAuth2/OIDC security filters do not work as expected anymore after the spring-security-core depencency update to 5.7.8
  • GEOS-11046 Styles using the custom mark shape://dot don’t draw any fill
  • GEOS-11054 NullPointerException creating layer with REST, along with attribute list
  • GEOS-11055 Multiple layers against the same ES document type conflict with each other
  • GEOS-11060 charts and mssql extension zips are missing the extension
  • GEOS-11069 Layer configuration page doesn’t work for broken SQL views


  • GEOS-10987 Bump xalan:xalan and xalan:serializer from 2.7.2 to 2.7.3
  • GEOS-10988 Update spring.version from 5.3.26 to 5.3.27 and spring-integration.version from 5.5.17 to 5.5.18
  • GEOS-11008 Update sqlite-jdbc from 3.34.0 to
  • GEOS-11010 Upgrade guava from 30.1 to 32.0.0
  • GEOS-11011 Upgrade postgresql from 42.4.3 to 42.6.0
  • GEOS-11012 Upgrade commons-collections4 from 4.2 to 4.4
  • GEOS-11018 Upgrade commons-lang3 from 3.8.1 to 3.12.0
  • GEOS-11020 Add test scope to mockito-core dependency
  • GEOS-11062 Upgrade httpclient from 4.5.13 to 4.5.14
  • GEOS-11063 Upgrade httpcore from 4.4.10 to 4.4.16
  • GEOS-11067 Upgrade wiremock to 2.35.0

For the complete list see 2.23.2 release notes.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

Release notes: ( 2.23.2 | 2.23.1 | 2.23.0 | 2.23-RC1 )