CVE-2025-30145

GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf
https://github.com/geosolutions-it/jai-ext/pull/307
https://osgeo-org.atlassian.net/browse/GEOS-11778

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) GeoServer es un servidor de código abierto que permite a los usuarios compartir y editar datos geoespaciales. GeoServer puede ejecutar scripts Jiffle maliciosos, ya sea como una transformación de renderizado en estilos dinámicos WMS o como un proceso WPS, que pueden entrar en un bucle infinito y provocar una denegación de servicio. Esta vulnerabilidad se ha corregido en las versiones 2.27.0, 2.26.3 y 2.25.7. Esta vulnerabilidad se puede mitigar deshabilitando los estilos dinámicos WMS y el proceso Jiffle.

10 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 15:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-30145

Mitre link : CVE-2025-30145

CVE.ORG link : CVE-2025-30145

JSON object : View

Products Affected

No product.

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

7.5 /10