GeoServer 2.25.2 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer recommended for production use. This release is made ahead of schedule to address an urgent bug or security vulnerability (see CVE-2024-36401 below). GeoServer 2.25.2 is made in conjunction with GeoTools 31.2, and GeoWebCache 1.25.2.

Thanks to Jody Garnett (GeoCat) for making this release on behalf of GeoCat customers.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

  • CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
  • CVE-2024-24749 Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat (Moderate)
  • CVE-2024-34696 GeoServer About Status lists sensitive Environmental Variables (Moderate)
  • CVE-2024-35230 Moderate

The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts. See the project security policy for more information on how security vulnerabilities are managed.

Demo Requests page rewritten

The Demo Request page has been rewritten to use JavaScript to issue POST examples. This provides a much better user experience:

  • Show Result lists the response headers to be viewed along side the returned result (with an option for XML pretty printing).
  • Show Result in a New Page is available to allow your browser to display the result.

The WCS Request Builder and WPS Request Builder demos now have the option to show their results in Demo Requests page. Combined these changes replace the previous practice of using an iframe popup, and have allowed the TestWfsPost servlet to be removed.

For more information please see the Demo requests in the User Guide.

Thanks to David Blasby (GeoCat) for these improvements, made on behalf of the GeoCat Live project.

  • GEOS-11390 Replace TestWfsPost with Javascript Demo Page

Release notes

New Feature:

  • GEOS-11390 Replace TestWfsPost with Javascript Demo Page


  • GEOS-11351 Exact term search in the pages’ filters


  • GEOS-7183 Demo request/wcs/wps pages incompatible with HTTPS/PKI
  • GEOS-11416 GeoPackage output contains invalid field types when exporting content from PostGIS
  • GEOS-11430 CiteComplianceHack not correctly parsing the context


  • GEOS-11411 Upgrade to ImageIO-EXT 1.4.11
  • GEOS-11426 Rework community dependency packaging to use module’s dependencies
  • GEOS-11429 Split COG community module packaging based on target cloud provider
  • GEOS-11432 Upgrade to ImageIO-EXT 1.4.12

For the complete list see 2.25.2 release notes.

Community Updates

Community module development:

  • GEOS-11412 Remove reference to JDOM from JMS Cluster (as JDOM is no longer in use)
  • GEOS-11413 STAC uses inefficient dabase queries when asking for collections in JSON format

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.25 Series

Additional information on GeoServer 2.25 series:

Release notes: ( 2.25.2 | 2.25.1 | 2.25.0 | 2.25-RC )