Description
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.
References (6)
Core 6
Core References
Patch release-notes
patch
https://github.com/GeoNode/geonode/releases/tag/5.0.2
Patch release-notes
patch
https://github.com/GeoNode/geonode/releases/tag/4.4.5
Issue Tracking issue-tracking
https://github.com/GeoNode/geonode/pull/14058
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload
Scores
CVSS v3
6.3
EPSS
0.0022
EPSS Percentile
12.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (5)
GeoNode/GeoNode
4.0 - 4.4.5
GeoNode/GeoNode
4.0.0 - 4.4.5
GeoNode/GeoNode
5.0 - 5.0.2
GeoNode/GeoNode
5.0.0 - 5.0.2
geosolutionsgroup/geonode
4.0.0 - 4.4.5
Published
Apr 10, 2026
Tracked Since
Apr 11, 2026