CVE-2025-30145

GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf	Third Party Advisory
https://github.com/geosolutions-it/jai-ext/pull/307	Patch
https://osgeo-org.atlassian.net/browse/GEOS-11778	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:osgeo:geoserver::::::::
	cpe:2.3:a:osgeo:geoserver::::::::

History

26 Aug 2025, 16:11

Type	Values Removed	Values Added
References	~~() https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf -~~	() https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf - Third Party Advisory
References	~~() https://github.com/geosolutions-it/jai-ext/pull/307 -~~	() https://github.com/geosolutions-it/jai-ext/pull/307 - Patch
References	~~() https://osgeo-org.atlassian.net/browse/GEOS-11778 -~~	() https://osgeo-org.atlassian.net/browse/GEOS-11778 - Permissions Required
CPE		cpe:2.3:a:osgeo:geoserver::::::::
First Time		Osgeo geoserver Osgeo

12 Jun 2025, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 15:15

Updated : 2025-08-26 16:11

NVD link : CVE-2025-30145

Mitre link : CVE-2025-30145

CVE.ORG link : CVE-2025-30145

JSON object : View

Products Affected

osgeo

geoserver

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

{"id": "CVE-2025-30145", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-06-10T15:15:24.070", "references": [{"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/geosolutions-it/jai-ext/pull/307", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://osgeo-org.atlassian.net/browse/GEOS-11778", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process."}, {"lang": "es", "value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. GeoServer puede ejecutar scripts Jiffle maliciosos, ya sea como una transformaci\u00f3n de renderizado en estilos din\u00e1micos WMS o como un proceso WPS, que pueden entrar en un bucle infinito y provocar una denegaci\u00f3n de servicio. Esta vulnerabilidad se ha corregido en las versiones 2.27.0, 2.26.3 y 2.25.7. Esta vulnerabilidad se puede mitigar deshabilitando los estilos din\u00e1micos WMS y el proceso Jiffle."}], "lastModified": "2025-08-26T16:11:23.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F0B3A06-FC80-4BDD-8E00-1AE8D51A5930", "versionEndExcluding": "2.25.7"}, {"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "657234C4-41D0-4CD9-B1DD-BBF565C608C6", "versionEndExcluding": "2.26.3", "versionStartIncluding": "2.26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}