CVE-2025-21621: GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
(updated )
A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim’s browser through specially crafted SLD_BODY parameters.
References
- github.com/advisories/GHSA-w66h-j855-qr72
- github.com/geoserver/geoserver
- github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d
- github.com/geoserver/geoserver/pull/7406
- github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72
- nvd.nist.gov/vuln/detail/CVE-2025-21621
- osgeo-org.atlassian.net/browse/GEOS-11203
- osgeo-org.atlassian.net/browse/GEOS-11297
Code Behaviors & Features
Detect and mitigate CVE-2025-21621 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →