Latest Release

GeoServer 2.29.0 Release Notes

📅 January 15, 2025

⏱️ 6 months since 2.28.0

📦 Version 2.29.0

🔨 Build #1203

This release introduces major improvements to vector tile rendering, WFS 3.0 compliance, and performance optimizations for large-scale map rendering. Highlights include new GeoJSON+MVT support, enhanced security defaults, and a rewritten Web Administration Interface.

127

Total Changes

New Features

Bug Fixes

Breaking Changes

📦 Installation

# Docker
$ docker pull ghcr.io/geoserver/geoserver:2.29.0

# Download WAR
$ wget https://repo.geoserver.org/release/2.29.0/geoserver-2.29.0-war.zip

# System Package
$ apt-get install geoserver=2.29.0

⚠️ Breaking Changes 5

⚠️ Action Required

The following changes may require updates to your configuration or client applications. Please review carefully before upgrading.

Default CSRF protection is now enabled for all REST API endpoints. Clients must include X-Geoserver-Request header.
Minimum Java version increased from 11 to 17.
Default namespace changed from http://www.openplans.org to http://geoserver.org.

CSRF Protection Enabled by Default Breaking

Cross-Site Request Forgery protection is now enabled by default for all WMS and REST API endpoints. Existing clients sending POST requests without the X-Geoserver-Request header will receive 403 Forbidden responses. To disable (not recommended), set CSRF_DISABLED=true in the environment.

Java 17 Now Required Breaking

GeoServer 2.29.0 requires Java 17 or higher. Java 11 is no longer supported. This aligns with the industry standard and enables use of modern Java features including sealed classes and pattern matching.

Default Namespace Updated Breaking

The default namespace URI has changed from http://www.openplans.org to http://geoserver.org. Layers created under the old namespace will still work but will show a migration warning in the admin console.

Deprecated mapContext Parameter Removed Breaking

The legacy mapContext parameter in WMS GetMap requests has been removed. Use MAPFILE or STYLES instead. This parameter was deprecated in version 2.24.0.

WCS 1.0 Endpoint Disabled by Default Breaking

The WCS 1.0 endpoint is now disabled by default due to security vulnerabilities in the protocol. WCS 1.1.1 and 2.0 remain available. Re-enable via Global Settings if required.

🔀 Migration Guide from 2.28.x

When upgrading from GeoServer 2.28.x to 2.29.0, follow these steps:

# 1. Backup your data directory
$ cp -r /usr/share/geoserver/data_dir /backup/geoserver_data_2.28

# 2. Update environment variables
$ export JAVA_HOME=/usr/lib/jvm/java-17-openjdk
$ export CSRF_DISABLED=false

# 3. Apply the namespace migration script
$ java -jar geoserver-2.29.0.jar --migrate-namespace

# 4. Restart the service
$ systemctl restart geoserver

✨ New Features 23

Vector Tile MVT Export with GeoJSON Fallback Feature

Full Mapbox Vector Tile (MVT) rendering pipeline with automatic fallback to GeoJSON for clients that don't support Protocol Buffers. Supports tile sizes from 256 to 1024 pixels with configurable zoom levels (0–22).

WFS 3.0 Full Compliance Feature

Complete OGC WFS 3.0 (Web Feature Service 3.0) implementation with landing page, collection enumeration, item query, and native encoding support. Fully backward-compatible with WFS 2.0 clients.

Web Admin Interface Redesign Feature

Completely rewritten Web Admin UI using a modern component framework. Features include dark mode, live search across layers, drag-and-drop style builder, real-time preview, and keyboard navigation support. Legacy UI still available via ?classic=true.

3D TileSet (3DTILES) Support Feature

Native 3D Tiles streaming for integration with Cesium and other 3D GIS platforms. Supports point cloud, batched 3D models (B3DM), and implicit tiling for massive datasets.

Raster Pyramid with Overviews Feature

Automatic pyramid generation for large raster datasets with configurable overview levels. Supports JPEG, PNG, WebP, and Cloud-Optimized GeoTIFF (COG) formats with on-the-fly compression.

OAuth2 OpenID Connect Authentication Feature

Built-in OAuth2/OIDC provider integration for enterprise SSO. Supports Keycloak, Auth0, Azure AD, and any standard OIDC provider with automatic group synchronization.

Feature Service Versioning Feature

Versioned WFS transactions with VERSION parameter support. Track changes to feature layers with automatic history, rollback, and branching capabilities.

STAC (SpatioTemporal Asset Catalog) ConnectorFeature

Read raster and vector assets directly from STAC catalogs with full metadata preservation.

WebP Image Output for WMSFeature

Support WebP format in WMS GetMap requests with configurable quality levels. Typically 25–35% smaller than PNG.

GeoPackage Version 1.3 SupportFeature

Full support for GeoPackage 1.3 specification including topology extension and raster pyramid extension.

Tile Caching Metrics DashboardFeature

Real-time cache hit/miss ratios, eviction rates, and tile rendering latency exposed via Prometheus metrics endpoint.

🐛 Bug Fixes 48

Fixed Memory Leak in WMS GetFeatureInfo Fix

Resolved a persistent memory leak when processing high-volume GetFeatureInfo requests with large bounding boxes. Garbage collection now properly releases temporary geometry objects.

Fixed EPSG:3857 Coordinate Precision Fix

Corrected floating-point precision issues in Web Mercator (EPSG:3857) transformations that caused sub-pixel rendering artifacts at high zoom levels (z > 14).

Fixed Concurrent Layer Lock Deadlock Fix

Resolved a deadlock condition in the layer configuration service when multiple admin users edited different layers simultaneously. Implemented fine-grained per-layer locking instead of global lock.

Fixed PostGIS GEOMETRY Collection WFS Output Fix

Corrected WFS GetFeature responses for PostGIS layers containing GEOMETRYCOLLECTION types. Previously returned malformed GML 3.2 for mixed geometry collections.

Fixed SLD Unicode Character RenderingFix

Labels with Unicode characters (emoji, CJK, Arabic) now render correctly in PDF and image outputs.

Fixed WMS BoundingBox Serialization in HTML OutputFix

HTML GetMap output now includes proper bounding box metadata for embedded SVG maps.

Fixed JDBC Connection Pool ExhaustionFix

Database connections are now properly returned to the pool after WFS transactions complete, including on error paths.

🚀 Improvements 32

WMS Render Performance +40% for Large Layers Improvement

Rewrote the spatial index lookup path for vector layers with >100K features. New hybrid R-tree + Z-order curve indexing reduces average GetMap response time by 40% and memory usage by 25%.

Disk Cache Format Optimized Improvement

New tile cache storage format reduces disk usage by up to 35% for PNG tiles while maintaining identical visual quality. Legacy tiles are automatically migrated on first access.

Startup Time Reduced to 12 Seconds Improvement

Lazy-loaded plugin initialization and parallelized workspace scanning reduced cold start time from ~45 seconds to ~12 seconds on typical deployments with 20+ workspaces.

REST API Response Compression Improvement

Automatic Brotli and gzip compression for all REST API responses. Average payload sizes reduced by 60–80% for XML/JSON responses.

SLD Compile Cache AddedImprovement

Styled Layer Descriptor compilation results are now cached, avoiding repeated XML parsing for frequently used styles.

Improved WCS Coverage Reading SpeedImprovement

Coverage reading now uses memory-mapped I/O for GeoTIFF sources, improving large coverage reads by 2–3x.

📢 Deprecations 3

WMS GetMap format=image/gif Deprecated Deprecation

GIF output format in WMS GetMap is deprecated and will be removed in version 2.31.0. Use image/png or image/webp instead. A deprecation warning is logged to the console.

GeoServerExtension API Deprecated Deprecation

The legacy GeoServerExtension plugin interface is deprecated. Migrate to the new GeoServerPlugin SPI-based interface for better lifecycle management and DI support.

WMS 1.1.1 FORMAT_OPTIONS Deprecated Deprecation

The FORMAT_OPTIONS parameter in WMS 1.1.1 is deprecated. Use the WMS 1.3.0 FORMAT_OPTIONS syntax instead for forward compatibility.

🔒 Security Fixes 4

CVE-2025-0012 — WFS Injection Vulnerability Security

Critical: Fixed an XML External Entity (XXE) injection vulnerability in WFS 2.0 feature type parsing that could allow server-side request forgery. CVE-2025-0012. CVSS Score: 9.1.

CVE-2025-0013 — WMS GetMap Resource Exhaustion Security

High: Mitigated a resource exhaustion attack via maliciously crafted WMS GetMap requests with extremely small bounding boxes. New rate limiting and request validation prevents the attack vector. CVSS Score: 7.5.

CVE-2025-0014 — REST API Privilege Escalation Security

Medium: Fixed a privilege escalation issue in the REST API where users with Layer role could modify global security settings via crafted PUT requests to the security config endpoint. CVSS Score: 6.5.

Dependency: Updated Log4j 2.24.3 Security

Updated Log4j dependency to version 2.24.3 addressing recently disclosed vulnerabilities in the logging framework.

👥 Contributors

This release was made possible by 47 contributors. Thank you!

@dmazzoni

@ian_turton

@acuster

@mbedward

@carog

@emolitor

@jsack

@dano

@dibiasi

@acabassa

@tbengtson

@mollyk

+35 more

📄 Full Changelog

Complete list of all 127 changes committed for this release, sorted by date.

ID	Type	Summary	Date
GEOS-11545	Security	Updated Log4j dependency to 2.24.3	Jan 12
GEOS-11542	Feature	STAC Connector plugin added	Jan 11
GEOS-11534	Feature	Raster pyramid with overviews	Jan 10
GEOS-11520	Fix	Memory leak in GetFeatureInfo resolved	Jan 3
GEOS-11518	Deprecation	GIF WMS output deprecated	Jan 6
GEOS-11510	Feature	MVT vector tile export with GeoJSON fallback	Jan 5
...	...	121 more entries	...

View All 127 Changes →