High severityNVD Advisory· Published Jun 10, 2025· Updated Jun 10, 2025
GeoServer has an Infinite Loop Vulnerability in Jiffle process
CVE-2025-30145
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.geoserver.web:gs-web-appMaven | >= 2.26.0, < 2.26.3 | 2.26.3 |
org.geoserver:gs-wmsMaven | >= 2.26.0, < 2.26.3 | 2.26.3 |
org.geoserver.extension:gs-wps-coreMaven | >= 2.26.0, < 2.26.3 | 2.26.3 |
org.geoserver.web:gs-web-appMaven | < 2.25.7 | 2.25.7 |
org.geoserver:gs-wmsMaven | < 2.25.7 | 2.25.7 |
org.geoserver.extension:gs-wps-coreMaven | < 2.25.7 | 2.25.7 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.geoserver.extension/gs-wps-corepkg:maven/org.geoserver/gs-wmspkg:maven/org.geoserver.web/gs-web-app
>= 2.26.0, < 2.26.3+ 2 more
- (no CPE)range: >= 2.26.0, < 2.26.3
- (no CPE)range: >= 2.26.0, < 2.26.3
- (no CPE)range: >= 2.26.0, < 2.26.3
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-gr67-pwcv-76gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-30145ghsaADVISORY
- github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gfghsax_refsource_CONFIRMWEB
- github.com/geosolutions-it/jai-ext/pull/307ghsax_refsource_MISCWEB
- osgeo-org.atlassian.net/browse/GEOS-11778ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.