High severityNVD Advisory· Published Jun 10, 2025· Updated Jun 10, 2025
GeoServer has an Infinite Loop Vulnerability in Jiffle process
CVE-2025-30145
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.geoserver.web:gs-web-appMaven | >= 2.26.0, < 2.26.3 | 2.26.3 |
org.geoserver:gs-wmsMaven | >= 2.26.0, < 2.26.3 | 2.26.3 |
org.geoserver.extension:gs-wps-coreMaven | >= 2.26.0, < 2.26.3 | 2.26.3 |
org.geoserver.web:gs-web-appMaven | < 2.25.7 | 2.25.7 |
org.geoserver:gs-wmsMaven | < 2.25.7 | 2.25.7 |
org.geoserver.extension:gs-wps-coreMaven | < 2.25.7 | 2.25.7 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gr67-pwcv-76gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-30145ghsaADVISORY
- github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gfghsax_refsource_CONFIRMWEB
- github.com/geosolutions-it/jai-ext/pull/307ghsax_refsource_MISCWEB
- osgeo-org.atlassian.net/browse/GEOS-11778ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.