Vulnerability Description
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Osgeo | Geoserver | < 2.25.7 |
Related Weaknesses (CWE)
References
- https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gfThird Party Advisory
- https://github.com/geosolutions-it/jai-ext/pull/307Patch
- https://osgeo-org.atlassian.net/browse/GEOS-11778Permissions Required
FAQ
What is CVE-2025-30145?
CVE-2025-30145 is a vulnerability with a CVSS score of 7.5 (HIGH). GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic style...
How severe is CVE-2025-30145?
CVE-2025-30145 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-30145?
Check the references section above for vendor advisories and patch information. Affected products include: Osgeo Geoserver.