The GeoServer community has readied the following CVE vulnerabilities for public disclosure.

• CVE-2025-30220 XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service (High)
  Fixed: GeoServer 2.27.1 | GeoServer 2.26.3 | GeoServer 2.25.7

• CVE-2025-30145 Denial-of-service (DoS) Vulnerability in Jiffle process (High)
  Fixed: GeoServer 2.27.0 | | GeoServer 2.26.3 | GeoServer 2.25.7

• CVE-2025-27505 Missing Authorization on REST API Index (Moderate)
  Fixed: GeoServer 2.26.3 | GeoServer 2.25.6

• CVE-2024-38524 GWC Home Page exposes sensitive server information (Moderate)
  Fixed: GeoServer 2.26.2 | GeoServer 2.25.6

• CVE-2024-40625 Coverage REST API Server Side Request Forgery (Moderate)
  Fixed: GeoServer 2.26.0

• CVE-2024-29198 Unauthenticated SSRF via TestWfsPost (High)
  CVE-2021-40822 SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx (High)
  Fixed: GeoServer 2.25.2 | GeoServer 2.24.4

  This duplication is due to CVE-2021-40822 being generated prior to our use of CVE records.

• CVE-2024-34711 Improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF) (High)
  Fixed: GeoServer 2.25.0

The release announcements listed above have been updated.

Free software is a participation sport - to create a patch for a prior release volunteer with community development.

Q: How often should I upgrade GeoServer?

GeoServer operates with a time boxed release cycle, maintaining “stable” and “maintenance” releases, over the course of a year.

• Upgrade GeoServer twice a year as new stable releases are made.

• Once the release you are using has entered “maintenance” it is a good idea to upgrade (before the release is no longer supported).

• GeoServer security policy provides one year of support. You may also contact our service providers for extended support beyond this timeframe.

Q: Notification of security vulnerabilities?

Stay up to date:

1. Please monitor release announcements for the heading “Security Considerations”.

   Security Considerations

   This release addresses several security vulnerabilities, and is a recommended upgrade for production systems.

   You can review the release announcement, and decide to update.

2. When everyone has had an opportunity to update the details of the vulnerability are announced.

   Security Considerations

   This release addresses several security vulnerabilities, and is a recommended upgrade for production systems.

   • CVE-2024-29198 Unauthenticated SSRF via TestWfsPost (Moderate)

3. Review the full vulnerability to learn more:

   

4. Scanning tools also have access to this information when the report is published:

   

Q: Notification of security reports?

As incoming security reports contain sensitive information they are only shared with representatives of the geoserver-security email list.

Participation in geoserver-security, like commit access, is volunteer based and reflects trust.

Please review GeoServer Security Policy if you are in a position to help out.

GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.

( YouTube | LinkedIn | Facebook | X )

GeoServer Installation and Upgrade Guide

In this session, we will install GeoServer on Windows using the Web Archive installation method and upgrade to a new version, while retaining existing data.

If you want to access the complete tutorial, click on the link.

Introduction

GeoServer is a versatile, Java-based application compatible with various operating systems, provided a suitable Java Virtual Machine (JVM) is available. The latest versions of GeoServer have been tested with both Oracle JRE and OpenJDK.

The GeoServer WAR file is a platform-independent web archive designed for deployment on application servers. Apache Tomcat is the recommended servlet container due to its robust integration capabilities and comprehensive documentation. This setup allows multiple web applications to run concurrently, enabling GeoServer to operate alongside other Java-based services, enhancing server versatility.

Note. This guide outlines the installation of GeoServer 2.25.x using Java 17 and Apache Tomcat 9, followed by upgrade instructions. To ensure you have the latest release, please visit this link and avoid using older versions of GeoServer.

Preparing for Installation

Before proceeding, follow the steps below:

• Backup the existing GeoServer folder (if upgrading).

  The folder webapps/geoserver/data is the data directory containing your configuration settings you wish to preserve.

  The folder webapps/geoserver/WEB-INF/lib contains the deployed GeoServer web application, along with an extensions you have manually installed.

• Check the Modules tab under the Server Status page to see all installed extensions.
• Uninstall previous versions of Java and Apache Tomcat.

Installing Java Development Kit (JDK)

To download JDK 17, navigate to adoptium.net and select:

• Operating System: Windows
• Architecture: x64
• Package Type: JDK
• Version: 17-LTS

Download the .msi file and run it as an administrator. During installation, accept default settings and complete the setup.

Installing Apache Tomcat

To download and install Apache Tomcat software, navigate to tomcat.apache.org and select Tomcat 9 from the Download section.

Choose the 32-bit/64-bit Windows Service Installer and run it as an administrator.

During setup:

• Configure the ports (default recommended).
• Set a secure username and password for administration (avoiding common defaults like admin or tomcat).
• The installer should auto-detect the installed JDK; if not, the user manually selects the Java installation path.

To configure JVM memory allocation, navigate to C:\Program Files\Apache Software Foundation\Tomcat 9.0\bin and run Tomcat9w.exe as an administrator.

In the Java tab, the user sets:

• Initial Memory Pool: 512 MB
• Maximum Memory Pool: 1024 MB

• Java Options: As required for running on Java 17.

       --add-exports=java.desktop/sun.awt.image=ALL-UNNAMED
       --add-opens=java.base/java.lang=ALL-UNNAMED
       --add-opens=java.base/java.util=ALL-UNNAMED
       --add-opens=java.base/java.lang.reflect=ALL-UNNAMED
       --add-opens=java.base/java.text=ALL-UNNAMED
       --add-opens=java.desktop/java.awt.font=ALL-UNNAMED
       --add-opens=java.desktop/sun.awt.image=ALL-UNNAMED
       --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED
       --add-opens=java.desktop/sun.java2d.pipe=ALL-UNNAMED
  

Switch to the General tab, and set Startup Type to Automatic, and start the Tomcat service.

Deploying GeoServer

Download the latest GeoServer WAR file from geoserver.org.

Extract the .war file and copy it to C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps.

To start GeoServer:

• Navigate http://localhost:8080/manager.
• Login with the Tomcat credentials.
• Click Start next to the GeoServer application.

The user accesses GeoServer at http://localhost:8080/geoserver and logs in using the default credentials:

• Username: admin
• Password: geoserver

Upgrading GeoServer

Stop GeoServer via the Tomcat Manager App, then replace the existing webapps/geoserver/data directory with the one from your backup.

Reinstall any compatible extensions for the new version, and restart GeoServer and verifies functionality.

In this session, we took a brief journey to installation of GeoServer using the Web Archive method. If you want to access the complete tutorial, click on the link.

Reference:

• Web archive (User Manual)
• Java Considerations (User Manual)

We are thrilled to announce that the GeoServer 3 crowdfunding campaign has not only met but exceeded its funding target! This remarkable achievement is a testament to the unwavering support and commitment of our global geospatial community.

Why This Matters: GeoServer 3 represents a significant leap forward in open-source geospatial technology. With the funds raised, we will:

• Modernize the platform by upgrading to Spring 6 and JDK 17, ensuring long-term support and compatibility.
• Enhance security through improved authentication mechanisms and compliance with current standards.
• Improve performance by replacing outdated components like JAI with modern alternatives such as ImageN.
• Align with modern deployment environments, facilitating cloud-native and containerized deployments.

Acknowledging Our Community: This milestone was made possible by the collective efforts of individuals, organizations, and institutions worldwide. Your contributions—be it through funding, advocacy, or development—have been instrumental in shaping the future of GeoServer.

Looking Ahead: Surpassing our funding goal allows us to invest additional resources into further enhancements and features, as prioritized by the GeoServer Project Steering Committee (PSC). This includes a stronger focus on security and vulnerability management, ensuring GeoServer remains robust, secure, and resilient in the face of evolving threats. These efforts will help ensure that GeoServer continues to evolve in line with the needs of its diverse user base.

Thank you for being an integral part of this journey. Together, we’ve laid a robust foundation for the next generation of open-source geospatial solutions.

Stay tuned for updates as we embark on this exciting new chapter!

The following organisations have pledged their support:

Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp.

GeoServer 2.27.1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer recommended for production use. GeoServer 2.27.1 is made in conjunction with GeoTools 33.1, and GeoWebCache 1.27.1.

Thanks to Jody Garnett (GeoCat) and Andrea Aime (GeoSolutions) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an critical update for production systems.

• CVE-2025-30220 XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service (High)

• CVE-2025-30145 Denial-of-service (DoS) Vulnerability in Jiffle process (High)

See project security policy for more information on how security vulnerabilities are managed.

Define Coverage views using Jiffle expressions

A really powerful new features for those working with coverages. You can now create a coverage using the Jiffle “raster calculator” domain specific language.

The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts. For more information please see the user guide. Thanks to Andrea Aime (GeoSolutions) for this new capability.

• GEOS-11797 Add support for Jiffle expressions in coverage view setup

Release notes

New Feature:

• GEOS-11800 Implement GeoServer WPS SpatioTemporalZonalStatistics process

Improvement:

• GEOS-11793 WPS Read Value from Coverage Position
• GEOS-11804 Disallow usage of var in GeoServer source code

Bug:

• GEOS-11274 Cannot get a JSON legend with an external reference to a non published directory
• GEOS-11751 Symbolizer URL in GetLegendGraphic JSON Request is Broken
• GEOS-11795 Incorrect clipping of point geometries in vector tiles
• GEOS-11808 Attribute names containing characters the XML Encoder can’t handle are accepted for input, causing errors
• GEOS-11817 GUI spinner remains after drag and drop
• GEOS-11818 PageUniqueProcess regression after [GEOT-7628]

Task:

• GEOS-11825 Random WPS build failure on Github
• GEOS-11826 Random build failures in gs-metadata when running on Github
• GEOS-11827 Random build failures in LocalResolvetest when running on github actions
• GEOS-11828 Random test failures in WFS 2.0 CITE tests, on Github actions

For the complete list see 2.27.1 release notes.

Community Updates

Community module development:

• GEOS-11816 Features templating OGC API fetch by ID fails

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.27 Series

Additional information on GeoServer 2.27 series:

• GeoServer 2.27 User Manual
• GeoServer 2025 Q2 Developer Update
• GeoServer 2025 Roadmap
• Content-Security-Policy Headers
• OGCAPI Features Extension
• File system access isolation
• Promote data dir catalog loader to core

Release notes: ( 2.27.1 | 2.27.0 )

GeoServer 2.26.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.26.3 is made in conjunction with GeoTools 32.3, and GeoWebCache 1.26.3.

Thanks to Jody Garnett and Andrea Aime (GeoSolutions) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an critical update for existing installations.

• CVE-2025-30220 XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service (High)

• CVE-2025-30145 Denial-of-service (DoS) Vulnerability in Jiffle process (High)

• CVE-2025-27505 Missing Authorization on REST API Index (Moderate)

The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts. See project security policy for more information on how security vulnerabilities are managed.

Release notes

New Feature:

• GEOS-11797 Add support for Jiffle expressions in coverage view setup
• GEOS-11800 Implement GeoServer WPS SpatioTemporalZonalStatistics process

Improvement:

• GEOS-11757 Optimize ConfigurationPasswordEncryptionHelper to Cache Encrypted Fields by Store Type
• GEOS-11761 Add support for the clip vendor parameter to WCS as well
• GEOS-11766 Speed up CRS and store factory lookups during catalog loading
• GEOS-11793 WPS Read Value from Coverage Position
• GEOS-11804 Disallow usage of var in GeoServer source code

Bug:

• GEOS-10844 Exclude xml-apis from build
• GEOS-11274 Cannot get a JSON legend with an external reference to a non published directory
• GEOS-11620 Smart Data Loader plugin for GeoServer 2.26 produces a Mapping file data source definition and tries to establish a connection pool, but fails
• GEOS-11664 Update REST security paths
• GEOS-11684 GDAL no longer included in Docker image
• GEOS-11689 IOUtilsTest should not ping an external web site
• GEOS-11690 Bug in Externalize printing configuration folder
• GEOS-11696 AdminRequestCallback not loaded due to spring bean name conflict
• GEOS-11700 GeoFence fails in recognizing some caller IP address
• GEOS-11703 HEAD and OPTIONS requests on the REST API return a 403
• GEOS-11707 Ogr2OgrWfsTest test failures with GDAL 3.10.1
• GEOS-11710 Running Jiffle on coverage views causes the NODATA to be lost
• GEOS-11713 Concurrent LDAP builds fail on Jenkins
• GEOS-11716 WFS POST requests fail if a layer is misconfigured
• GEOS-11720 AttributeTypeInfoImpl doesn’t quote names properly
• GEOS-11722 Coverage view reader partially ignores multithreaded loading
• GEOS-11739 Excessive memory usage for WMS KML output format
• GEOS-11747 GeoServer does not throw JAI runtime exceptions
• GEOS-11751 Symbolizer URL in GetLegendGraphic JSON Request is Broken
• GEOS-11755 AbstractCatalogFacade leaves dangling references to temporary Catalog
• GEOS-11756 GeoServerDataDirectory’s default workspace location is wrong
• GEOS-11760 Fix a potential OOM in the KML transformation
• GEOS-11767 Regression: OL preview always uses JPEG format
• GEOS-11769 Race conditions in LayerGroupHelper when the default catalog is not fully initialized
• GEOS-11774 Logout with OAuth plugin will give error if logged in locally
• GEOS-11776 CVE-2025-27505 Moderate
• GEOS-11792 Default Service Capabilities shown on initial start with no workspaces
• GEOS-11795 Incorrect clipping of point geometries in vector tiles
• GEOS-11818 PageUniqueProcess regression after [GEOT-7628]

Task:

• GEOS-11682 Add tests for WMS SLD XML request reader
• GEOS-11701 Update JAI-Ext to 1.1.28
• GEOS-11743 Upgrade Oracle JDBC driver (ojdbc) from 8 to 11
• GEOS-11763 Update jai-ext to latest version (1.1.30)
• GEOS-11770 Update to jai-ext 1.1.31
• GEOS-11771 Update to Imageio-EXT 1.4.15
• GEOS-11791 Postpone controller logging after data validation

For the complete list see 2.26.3 release notes.

Community Updates

Community module development:

• GEOS-11694 OpenID connect: allow caching authentication when an expiration is declared in the access token
• GEOS-11711 Clickhouse DGGS stores fails to aggregate on dates
• GEOS-11715 STAC sortby won’t work with “properties.” prefixed names
• GEOS-11723 DGGS data store should be able to translate also intersection with multipolygon
• GEOS-11725 Environment parameters resolving is not working on Smart data loader
• GEOS-11738 Prevent error when oidc provider sends empty “&state=”
• GEOS-11741 Enhancing Smart Data Loader with Override Rules
• GEOS-11762 Feature Templates by feature type can not be listed via GeoServer Rest API
• GEOS-11783 Longitudinal profile process should allow for input chaining
• GEOS-11784 The longitudinal profile process should limit the number of points it can extract
• GEOS-11785 The longitudinal profile process should respect cancellation
• GEOS-11786 Longitudinal profile process: general performance improvements
• GEOS-11811 Features templating editor is unable to update and save the template body

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.26 Series

Additional information on GeoServer 2.26 series:

• GeoServer 2.26 User Manual
• GeoServer 2024 Q3 Developer Update
• Raster Attribute Table extension
• Community module graduation, amending generality rule
• Individual contributor clarification
• Migrate geoserver-users from SourceForge to discourse

Release notes: ( 2.26.3 | 2.26.2 | 2.26.1 | 2.26.0 | 2.26-M0 )