GeoServer 2.24.1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer recommended for production use. GeoServer 2.24.1 is made in conjunction with GeoTools 30.1, and GeoWebCache 1.24.1.

Thanks to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

  • CVE-2023-51444 Arbitrary file upload vulnerability in REST Coverage Store API (High).
  • CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page (Moderate).
  • CVE-2024-23640 Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format (Moderate).
  • CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page (Moderate).
  • CVE-2024-23643 Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form (Moderate).
  • CVE-2024-23642 Stored Cross-Site Scripting (XSS) vulnerability in Simple SVG Renderer (Moderate).

See project security policy for more information on how security vulnerabilities are managed.

Release notes


  • GEOS-11152 Improve handling special characters in the Simple SVG Renderer
  • GEOS-11153 Improve handling special characters in the WMS OpenLayers Format
  • GEOS-11154 Improve handling special characters in the MapML HTML Page
  • GEOS-11155 Add the X-Content-Type-Options header
  • GEOS-11173 Default to using HttpOnly session cookies
  • GEOS-11176 Add validation to file wrapper resource paths
  • GEOS-11188 Let DownloadProcess handle download requests whose pixel size is larger than integer limits
  • GEOS-11189 Add an option to throw a service exception when nearest match “allowed interval” is exceeded
  • GEOS-11193 Add an option to throw an exception when the time nearest match does not fall within search limits


  • GEOS-11074 GeoFence may not load property file at boot
  • GEOS-11166 OGC API Maps HTML representation fail without datetime parameter
  • GEOS-11184 ncwms module has a compile dependency on gs-web-core test jar
  • GEOS-11190 GeoFence: align log4j2 deps
  • GEOS-11196 NPE in VectorDownload if ROI not defined
  • GEOS-11200 GetFeatureInfo can fail on rendering transformations that generate a different raster
  • GEOS-11203 WMS GetFeatureInfo bad WKT exception for label-geometry
  • GEOS-11206 Throw nearest match mismatch exceptions only for WMS

For the complete list see 2.24.1 release notes.

Community Module Updates

OAuth2 OpenID-Connect improvements

Two improvements have been made to the community module for OAuth2 OpenID-Connect authentication:

  • GEOS-11209 Open ID Connect Proof Key of Code Exchange (PKCE)
  • GEOS-11212 OIDC accessToken verification using only JWKs URI

In addition the module includes an OIDC_LOGGING profile and updated documentation covering new settings and troubleshooting guidance.

Thanks Jody Garnett for these improvements on behalf of GeoBeyond.

note: Over the course of 2024 the OAuth2 plugins will need to be rewritten for spring-framework 6. Interested parties are encouraged to reach out to geoserver-devel email list; ideally we would like to see this functionality implemented and included as part of GeoServer.

About GeoServer 2.24 Series

Additional information on GeoServer 2.24 series:

Release notes: ( 2.24.1 | 2.24.0 | 2.24-RC )

GeoServer is an Open Source Geospatial Foundation project supported by a mix of volunteer and service provider activity. We reply on sponsorship to fund activities beyond the reach of individual contributors.