CVE-2025-30145
published 2025-06-10CVE-2025-30145: GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.43%
34.5th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.25.7 | 2.25.7 |
| geoserver | geoserver | — | — |
| osgeo | geoserver | < 2.25.7 | 2.25.7 |
| osgeo | geoserver | >= 2.26.0 < 2.26.3 | 2.26.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
GeoServer Infinite Loop Vulnerability in Jiffle process
osv·2025-06-10
CVE-2025-30145 [HIGH] GeoServer Infinite Loop Vulnerability in Jiffle process
GeoServer Infinite Loop Vulnerability in Jiffle process
### Summary
Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service.
### Details
The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations.
### Impact
This vulnerability allows attackers to conduct denial-of-service attacks.
### Mitigation
This vulnerability can be mitigated by disabling WMS dynamic styling (see [WMS Settings](https://docs.geoserver.org/latest/en/user/services/wms/webadmin.h
GHSA
GeoServer Infinite Loop Vulnerability in Jiffle process
ghsa·2025-06-10
CVE-2025-30145 [HIGH] CWE-835 GeoServer Infinite Loop Vulnerability in Jiffle process
GeoServer Infinite Loop Vulnerability in Jiffle process
### Summary
Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service.
### Details
The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations.
### Impact
This vulnerability allows attackers to conduct denial-of-service attacks.
### Mitigation
This vulnerability can be mitigated by disabling WMS dynamic styling (see [WMS Settings](https://docs.geoserver.org/latest/en/user/services/wms/webadmin.h
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-10
Published