Server-Side Request Forgery (SSRF) in geoserver - CVE-2023-43795
Published: October 24, 2023 / Updated: May 5, 2026
geoserver
Detailed vulnerability description
The vulnerability allows a remote attacker to perform server-side request forgery.
The vulnerability exists due to improper access control in the OGC Web Processing Service (WPS) Execute operation when processing complex remote inputs from external URL references. A remote attacker can submit a crafted request referencing an external URL to perform server-side request forgery.
Exploitation requires the WPS extension to be installed, the "Disable complex inputs" setting to be unselected, and security URL checks to be disabled.