The GeoServer team are really pleased to announce that our long-lost CITE Certification has been regained (for 2.27) over the last 6 months.

OGC CITE Certification is important for two reasons:

• Provides a source of black-box testing ensuring that each GeoServer release behaves as intended.
• Provides a logo and visibility for the project helping to promote the use of open standards.

Recent activity:

• As part of a Camptocamp organized OGC API - Features sprint Gabriel was able setup a GitHub workflow restoring the use of CITE testing for black-box testing of GeoServer. Gabriel focused on OGC API - Features certification but found WMS 1.1 and WCS 1.1 tests would also pass out of the box, providing a setup for running the tests in each new pull request.
• Andrea made further progress certifying the output produced by GeoServer, restoring the WMS 1.3, WFS 1.0 and WFS 1.1 tests, as well as upgrading the test engine to the latest production release. In addition, CITE tests that weren’t run in the past have been added, like WFS 2.0 and GeoTIFF, while other new tests are in progress, like WCS 2.0, WMTS 1.0 and GeoPackage.
• Peter set up multiple GeoServers for the testing and to act as reference implementations (hosting graciously provided by the Open Source Geospatial Foundation) and ran the test suites.
• Angelos Tzotsos (OSGeo) submitted the certification request to OGC.
• Gobe Hobona (OGC) approved all of our submissions.

Many thanks to all who were involved! After approximately 10 years, we can once again officially confirm that GeoServer is OGC compliant.

Developer Documentation

For developers, read more about the certification process and how to expand on it for additional services.

CITE Certification Sponsorship

Thank you to Gaia3D and OSGeo:UK for sponsorship covering the expense of CITE Certification for 2025.

This certification process is expensive, and we will require sponsorship for 2026 if we wish to maintain certified status.

However, as mentioned above, these CITE tests are automatically run as part of our build process for each new pull request, so we can unofficially verify that we pass CITE tests, but we cannot claim to be compliant.

If you/your organization finds the CITE Certification valuable, please contact the Project Steering Committee to sponsor the annual renewal. The more organizations that are able to sponsor, the lower the expense will be to each organization (sharing the approx USD $1,000 per year cost).

GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.

( YouTube | LinkedIn | Facebook | X )

GeoServer WPS Extension Installation Guide

This session covers the steps to install the WPS (Web Processing Service) extension in GeoServer, enabling advanced geospatial data processing capabilities through standardized web service operations.

If you want to access the complete tutorial, click on the link.

Introduction

GeoServer is a powerful open-source server application that enables users to publish geospatial data and interactive maps on the web. It supports a wide range of data formats and protocols, making it a flexible solution for managing and delivering geospatial content. One of its standout capabilities is functioning as a geoprocessing server.

Geoprocessing involves analyzing spatial data to derive insights and perform operations such as Buffer, Clip, Union, Contour, and more. By default, GeoServer does not include Web Processing Service (WPS) functionality. However, WPS is available as an optional extension that’s easy to install. Adding this extension unlocks advanced geospatial analysis and processing features directly within GeoServer. To get started, download the WPS extension ZIP file that matches your GeoServer version.

Note: This tutorial uses GeoServer version 2.25.3. Be sure to download the WPS extension that corresponds exactly to your GeoServer version—mismatched versions will result in errors.

Installing the WPS Extension

Here are the steps to install the WPS extension in GeoServer:

• Navigate to the GeoServer website and select the download link.
• Under the Archive tab, choose the version that matches your installed GeoServer.
• Select the WPS option from the Services section. After a few seconds, the extension file will begin downloading automatically.

Prepare for Installation:

• It’s recommended to stop GeoServer before installing any extensions. This will prevent any potential conflicts or problems during the installation process.
• Unzip the downloaded WPS extension file.
• Copy all extracted .jar files directly into the WEB-INF/lib directory of your GeoServer installation. Ensure the extracted files are placed directly in this directory, avoiding subfolders.
• Once the files are in place, restart GeoServer to ensure that the changes take effect. This activates the newly installed WPS extension.

Verifying the WPS Extension Installation

Once GeoServer is running again, open the GeoServer web interface. From the Server Status section, click on the Modules tab to confirm that the WPS extension is in the list of installed modules.

Testing WPS Functionality:

• Navigate to the Demos section in the GeoServer interface.

• Select WPS Request Builder to access a tool for testing WPS processes.

• The WPS Request Builder consists of a drop-down list containing various processes. It supports many types of processes that are categorized based on prefixes. These prefixes are:
  • JTS: Java Topology Suite
  • geo: geometry processes
  • ras: raster processes
  • vec: Vector processes
  • gs: GeoServer-specific processes
• The geo and JTS processes return text-based analysis results but do not support internal GeoServer layers as input.
• The gs and vec function groups support both text input and GeoServer layers or WFS layer URLs.
• For raster data analysis, use processes with the Ras prefix.

In this session, we took a brief look at how to install the WPS extension in GeoServer. To access the full tutorial, click on this link.

The GeoServer community has readied the following CVE vulnerabilities for public disclosure.

• CVE-2025-30220 XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service (High)
  Fixed: GeoServer 2.27.1 | GeoServer 2.26.3 | GeoServer 2.25.7

• CVE-2025-30145 Denial-of-service (DoS) Vulnerability in Jiffle process (High)
  Fixed: GeoServer 2.27.0 | | GeoServer 2.26.3 | GeoServer 2.25.7

• CVE-2025-27505 Missing Authorization on REST API Index (Moderate)
  Fixed: GeoServer 2.26.3 | GeoServer 2.25.6

• CVE-2024-38524 GWC Home Page exposes sensitive server information (Moderate)
  Fixed: GeoServer 2.26.2 | GeoServer 2.25.6

• CVE-2024-40625 Coverage REST API Server Side Request Forgery (Moderate)
  Fixed: GeoServer 2.26.0

• CVE-2024-29198 Unauthenticated SSRF via TestWfsPost (High)
  CVE-2021-40822 SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx (High)
  Fixed: GeoServer 2.25.2 | GeoServer 2.24.4

  This duplication is due to CVE-2021-40822 being generated prior to our use of CVE records.

• CVE-2024-34711 Improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF) (High)
  Fixed: GeoServer 2.25.0

The release announcements listed above have been updated.

Free software is a participation sport - to create a patch for a prior release volunteer with community development.

Q: How often should I upgrade GeoServer?

GeoServer operates with a time boxed release cycle, maintaining “stable” and “maintenance” releases, over the course of a year.

• Upgrade GeoServer twice a year as new stable releases are made.

• Once the release you are using has entered “maintenance” it is a good idea to upgrade (before the release is no longer supported).

• GeoServer security policy provides one year of support. You may also contact our service providers for extended support beyond this timeframe.

Q: Notification of security vulnerabilities?

Stay up to date:

1. Please monitor release announcements for the heading “Security Considerations”.

   Security Considerations

   This release addresses several security vulnerabilities, and is a recommended upgrade for production systems.

   You can review the release announcement, and decide to update.

2. When everyone has had an opportunity to update the details of the vulnerability are announced.

   Security Considerations

   This release addresses several security vulnerabilities, and is a recommended upgrade for production systems.

   • CVE-2024-29198 Unauthenticated SSRF via TestWfsPost (Moderate)

3. Review the full vulnerability to learn more:

   

4. Scanning tools also have access to this information when the report is published:

   

Q: Notification of security reports?

As incoming security reports contain sensitive information they are only shared with representatives of the geoserver-security email list.

Participation in geoserver-security, like commit access, is volunteer based and reflects trust.

Please review GeoServer Security Policy if you are in a position to help out.

GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.

( YouTube | LinkedIn | Facebook | X )

GeoServer Installation and Upgrade Guide

In this session, we will install GeoServer on Windows using the Web Archive installation method and upgrade to a new version, while retaining existing data.

If you want to access the complete tutorial, click on the link.

Introduction

GeoServer is a versatile, Java-based application compatible with various operating systems, provided a suitable Java Virtual Machine (JVM) is available. The latest versions of GeoServer have been tested with both Oracle JRE and OpenJDK.

The GeoServer WAR file is a platform-independent web archive designed for deployment on application servers. Apache Tomcat is the recommended servlet container due to its robust integration capabilities and comprehensive documentation. This setup allows multiple web applications to run concurrently, enabling GeoServer to operate alongside other Java-based services, enhancing server versatility.

Note. This guide outlines the installation of GeoServer 2.25.x using Java 17 and Apache Tomcat 9, followed by upgrade instructions. To ensure you have the latest release, please visit this link and avoid using older versions of GeoServer.

Preparing for Installation

Before proceeding, follow the steps below:

• Backup the existing GeoServer folder (if upgrading).

  The folder webapps/geoserver/data is the data directory containing your configuration settings you wish to preserve.

  The folder webapps/geoserver/WEB-INF/lib contains the deployed GeoServer web application, along with an extensions you have manually installed.

• Check the Modules tab under the Server Status page to see all installed extensions.
• Uninstall previous versions of Java and Apache Tomcat.

Installing Java Development Kit (JDK)

To download JDK 17, navigate to adoptium.net and select:

• Operating System: Windows
• Architecture: x64
• Package Type: JDK
• Version: 17-LTS

Download the .msi file and run it as an administrator. During installation, accept default settings and complete the setup.

Installing Apache Tomcat

To download and install Apache Tomcat software, navigate to tomcat.apache.org and select Tomcat 9 from the Download section.

Choose the 32-bit/64-bit Windows Service Installer and run it as an administrator.

During setup:

• Configure the ports (default recommended).
• Set a secure username and password for administration (avoiding common defaults like admin or tomcat).
• The installer should auto-detect the installed JDK; if not, the user manually selects the Java installation path.

To configure JVM memory allocation, navigate to C:\Program Files\Apache Software Foundation\Tomcat 9.0\bin and run Tomcat9w.exe as an administrator.

In the Java tab, the user sets:

• Initial Memory Pool: 512 MB
• Maximum Memory Pool: 1024 MB

• Java Options: As required for running on Java 17.

       --add-exports=java.desktop/sun.awt.image=ALL-UNNAMED
       --add-opens=java.base/java.lang=ALL-UNNAMED
       --add-opens=java.base/java.util=ALL-UNNAMED
       --add-opens=java.base/java.lang.reflect=ALL-UNNAMED
       --add-opens=java.base/java.text=ALL-UNNAMED
       --add-opens=java.desktop/java.awt.font=ALL-UNNAMED
       --add-opens=java.desktop/sun.awt.image=ALL-UNNAMED
       --add-opens=java.naming/com.sun.jndi.ldap=ALL-UNNAMED
       --add-opens=java.desktop/sun.java2d.pipe=ALL-UNNAMED
  

Switch to the General tab, and set Startup Type to Automatic, and start the Tomcat service.

Deploying GeoServer

Download the latest GeoServer WAR file from geoserver.org.

Extract the .war file and copy it to C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps.

To start GeoServer:

• Navigate http://localhost:8080/manager.
• Login with the Tomcat credentials.
• Click Start next to the GeoServer application.

The user accesses GeoServer at http://localhost:8080/geoserver and logs in using the default credentials:

• Username: admin
• Password: geoserver

Upgrading GeoServer

Stop GeoServer via the Tomcat Manager App, then replace the existing webapps/geoserver/data directory with the one from your backup.

Reinstall any compatible extensions for the new version, and restart GeoServer and verifies functionality.

In this session, we took a brief journey to installation of GeoServer using the Web Archive method. If you want to access the complete tutorial, click on the link.

Reference:

• Web archive (User Manual)
• Java Considerations (User Manual)

We are thrilled to announce that the GeoServer 3 crowdfunding campaign has not only met but exceeded its funding target! This remarkable achievement is a testament to the unwavering support and commitment of our global geospatial community.

Why This Matters: GeoServer 3 represents a significant leap forward in open-source geospatial technology. With the funds raised, we will:

• Modernize the platform by upgrading to Spring 6 and JDK 17, ensuring long-term support and compatibility.
• Enhance security through improved authentication mechanisms and compliance with current standards.
• Improve performance by replacing outdated components like JAI with modern alternatives such as ImageN.
• Align with modern deployment environments, facilitating cloud-native and containerized deployments.

Acknowledging Our Community: This milestone was made possible by the collective efforts of individuals, organizations, and institutions worldwide. Your contributions—be it through funding, advocacy, or development—have been instrumental in shaping the future of GeoServer.

Looking Ahead: Surpassing our funding goal allows us to invest additional resources into further enhancements and features, as prioritized by the GeoServer Project Steering Committee (PSC). This includes a stronger focus on security and vulnerability management, ensuring GeoServer remains robust, secure, and resilient in the face of evolving threats. These efforts will help ensure that GeoServer continues to evolve in line with the needs of its diverse user base.

Thank you for being an integral part of this journey. Together, we’ve laid a robust foundation for the next generation of open-source geospatial solutions.

Stay tuned for updates as we embark on this exciting new chapter!

GeoServer 3 is supported by the following organisation:

Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp.