EUVD-2025-17684

| CVE-2025-30145 HIGH
2025-06-10 [email protected] GHSA-gr67-pwcv-76gf
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17684
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
Patch Released
Mar 14, 2026 - 19:49 nvd
Patch available
CVE Published
Jun 10, 2025 - 15:15 nvd
HIGH 7.5

Tags

Denial Of Service Geoserver

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.

Analysis

Denial-of-service vulnerability in GeoServer that allows unauthenticated remote attackers to execute malicious Jiffle scripts, causing infinite loops and service unavailability. Affected versions are GeoServer prior to 2.25.7, 2.26.3, and 2.27.0. The vulnerability is triggered through WMS dynamic styling or WPS processes and requires no authentication or user interaction, making it easily exploitable by remote attackers.

Technical Context

The vulnerability resides in GeoServer's Jiffle script processing engine. Jiffle is a raster algebra language used for rendering transformations in WMS dynamic styles and as a WPS (Web Processing Service) process. The root cause is CWE-835 (Loop with Unreachable Exit Condition), where malicious Jiffle scripts can be crafted to enter infinite loops without proper validation or resource limits. GeoServer processes these scripts server-side during rendering or WPS execution, allowing an attacker to exhaust CPU resources and trigger denial of service. The vulnerability affects the rendering and processing pipeline components that parse and execute Jiffle expressions without adequate input validation or execution sandboxing.

Affected Products

GeoServer (https://geoserver.org) versions: prior to 2.25.7, prior to 2.26.3, and prior to 2.27.0. Affected components include: (1) WMS rendering transformation functionality using Jiffle scripts, (2) WPS process execution for Jiffle processes. CPE would be approximately: cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* with versions <2.25.7, <2.26.3 (2.26.x branch), <2.27.0 (2.27.x branch and later). The vulnerability affects all GeoServer instances with WMS dynamic styling or WPS enabled that accept external or user-supplied Jiffle script input.

Remediation

Immediate patching is the primary remediation: (1) Upgrade to GeoServer 2.25.7, 2.26.3, or 2.27.0 or later. (2) For organizations unable to patch immediately, implement these mitigations: disable WMS dynamic styling (styling transformations), disable the Jiffle WPS process, restrict WMS/WPS endpoint access via firewall/authentication, implement request timeout limits at the application level. (3) Monitor GeoServer logs for Jiffle-related processing errors or excessive CPU usage during rendering requests. (4) Apply patches from the GeoServer project website (https://geoserver.org/announcements) when available. Consult vendor security advisories for detailed patch deployment guidance.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

EUVD-2025-17684 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy