Skip to the content.

DIVD-2023-00024 - SQL injection in GeoServer - CVE-2023-25157

Our reference DIVD-2023-00024
Case lead Max van der Horst
Author Jeroen van de Weerd
Product GeoServer
  • < 2.21.4
  • < 2.22.2
Recommendation Install patches.
Status Closed
Last modified 26 Sep 2023 11:50


GeoServer located a vulnerability in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions. A POC is available.

What you can do

GeoServer advises to install the patch by upgrading to version 2.23.0. If this is not possible, there are a few mitigations available which include disabling the PostGIS Datastore encode functions to mitigate the vulnerabilities in the strStartsWith and strEndsWith parameters and enabling the PostGIS DataStore preparedStatements functionality to mitigate the FeatureId vulnerability. Note that these mitigations are known to cause significant slowdowns.

What we are doing

DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding GeoServer instances and extracting the version name. Vulnerable parties will receive a notification with remediation steps.


Date Description
20 Feb 2023 GeoServer publishes advisory.
06 Jun 2023 POC becomes available.
07 Jun 2023 DIVD starts researching fingerprint.
07 Jun 2023 First version of this casefile.
04 Jul 2023 DIVD starts notification round.
26 Sep 2023 Case closed.
gantt title DIVD-2023-00024 - SQL injection in GeoServer - CVE-2023-25157 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00024 - SQL injection in GeoServer - CVE-2023-25157 (111 days) :2023-06-07, 2023-09-26 section Events GeoServer publishes advisory. : milestone, 2023-02-20, 0d POC becomes available. : milestone, 2023-06-06, 0d DIVD starts researching fingerprint. : milestone, 2023-06-07, 0d First version of this casefile. : milestone, 2023-06-07, 0d DIVD starts notification round. : milestone, 2023-07-04, 0d Case closed. : milestone, 2023-09-26, 0d

More information