Skip to main content

Geoserver EUVD-2025-17684

| CVE-2025-30145 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2025-06-10 security-advisories@github.com GHSA-gr67-pwcv-76gf
Denial Of Service Geoserver
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17684
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
Patch released
Mar 14, 2026 - 19:49 nvd
Patch available
CVE Published
Jun 10, 2025 - 15:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.

AnalysisAI

Denial-of-service vulnerability in GeoServer that allows unauthenticated remote attackers to execute malicious Jiffle scripts, causing infinite loops and service unavailability. Affected versions are GeoServer prior to 2.25.7, 2.26.3, and 2.27.0. The vulnerability is triggered through WMS dynamic styling or WPS processes and requires no authentication or user interaction, making it easily exploitable by remote attackers.

Technical ContextAI

The vulnerability resides in GeoServer's Jiffle script processing engine. Jiffle is a raster algebra language used for rendering transformations in WMS dynamic styles and as a WPS (Web Processing Service) process. The root cause is CWE-835 (Loop with Unreachable Exit Condition), where malicious Jiffle scripts can be crafted to enter infinite loops without proper validation or resource limits. GeoServer processes these scripts server-side during rendering or WPS execution, allowing an attacker to exhaust CPU resources and trigger denial of service. The vulnerability affects the rendering and processing pipeline components that parse and execute Jiffle expressions without adequate input validation or execution sandboxing.

RemediationAI

Immediate patching is the primary remediation: (1) Upgrade to GeoServer 2.25.7, 2.26.3, or 2.27.0 or later. (2) For organizations unable to patch immediately, implement these mitigations: disable WMS dynamic styling (styling transformations), disable the Jiffle WPS process, restrict WMS/WPS endpoint access via firewall/authentication, implement request timeout limits at the application level. (3) Monitor GeoServer logs for Jiffle-related processing errors or excessive CPU usage during rendering requests. (4) Apply patches from the GeoServer project website (https://geoserver.org/announcements) when available. Consult vendor security advisories for detailed patch deployment guidance.

Share

EUVD-2025-17684 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy