Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-30145

GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.

Published

2025-06-10T15:15:24.070

Last Modified

2025-08-26T16:11:23.463

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-835

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	osgeo	geoserver	< 2.25.7	Yes
Application	osgeo	geoserver	< 2.26.3	Yes

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf Third Party Advisory ([email protected])
https://github.com/geosolutions-it/jai-ext/pull/307 Patch ([email protected])
https://osgeo-org.atlassian.net/browse/GEOS-11778 Permissions Required ([email protected])