Primary

Context

Esri Portal for ArcGIS Server-Side Request Forgery Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Esri Portal for ArcGIS versions through 11.4. This vulnerability allows remote, unauthenticated attackers to bypass the application's SSRF protections.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services or resources, allowing attackers to manipulate requests on behalf of the server.

Remediation

Users can apply the Portal for ArcGIS Security 2025 Update 2 Patch, available through the Esri Support website. It is recommended to upgrade to version 11.5 or greater, and for those using versions in Mature or Retired status, to plan an upgrade to a General Availability release version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Esri Portal for ArcGIS Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Esri Portal for ArcGIS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating