{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-30145", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-17T12:41:42.564Z", "datePublished": "2025-06-10T14:58:48.408Z", "dateUpdated": "2025-06-10T15:16:31.100Z"}, "containers": {"cna": {"title": "GeoServer has an Infinite Loop Vulnerability in Jiffle process", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf"}, {"name": "https://github.com/geosolutions-it/jai-ext/pull/307", "tags": ["x_refsource_MISC"], "url": "https://github.com/geosolutions-it/jai-ext/pull/307"}, {"name": "https://osgeo-org.atlassian.net/browse/GEOS-11778", "tags": ["x_refsource_MISC"], "url": "https://osgeo-org.atlassian.net/browse/GEOS-11778"}], "affected": [{"vendor": "geoserver", "product": "geoserver", "versions": [{"version": ">= 2.26.0, < 2.26.3", "status": "affected"}, {"version": "< 2.25.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-10T14:58:48.408Z"}, "descriptions": [{"lang": "en", "value": "GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process."}], "source": {"advisory": "GHSA-gr67-pwcv-76gf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-10T15:16:16.672596Z", "id": "CVE-2025-30145", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T15:16:31.100Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-30145", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-10T15:16:16.672596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T15:16:19.470Z"}}], "cna": {"title": "GeoServer has an Infinite Loop Vulnerability in Jiffle process", "source": {"advisory": "GHSA-gr67-pwcv-76gf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "geoserver", "product": "geoserver", "versions": [{"status": "affected", "version": ">= 2.26.0, < 2.26.3"}, {"status": "affected", "version": "< 2.25.7"}]}], "references": [{"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf", "name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/geosolutions-it/jai-ext/pull/307", "name": "https://github.com/geosolutions-it/jai-ext/pull/307", "tags": ["x_refsource_MISC"]}, {"url": "https://osgeo-org.atlassian.net/browse/GEOS-11778", "name": "https://osgeo-org.atlassian.net/browse/GEOS-11778", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-10T14:58:48.408Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30145", "state": "PUBLISHED", "dateUpdated": "2025-06-10T15:16:31.100Z", "dateReserved": "2025-03-17T12:41:42.564Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-10T14:58:48.408Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F0B3A06-FC80-4BDD-8E00-1AE8D51A5930", "versionEndExcluding": "2.25.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "657234C4-41D0-4CD9-B1DD-BBF565C608C6", "versionEndExcluding": "2.26.3", "versionStartIncluding": "2.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process."}, {"lang": "es", "value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. GeoServer puede ejecutar scripts Jiffle maliciosos, ya sea como una transformaci\u00f3n de renderizado en estilos din\u00e1micos WMS o como un proceso WPS, que pueden entrar en un bucle infinito y provocar una denegaci\u00f3n de servicio. Esta vulnerabilidad se ha corregido en las versiones 2.27.0, 2.26.3 y 2.25.7. Esta vulnerabilidad se puede mitigar deshabilitando los estilos din\u00e1micos WMS y el proceso Jiffle."}], "id": "CVE-2025-30145", "lastModified": "2025-08-26T16:11:23.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-10T15:15:24.070", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/geosolutions-it/jai-ext/pull/307"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://osgeo-org.atlassian.net/browse/GEOS-11778"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-06-24T09:51:37.885416+00:00", "updated": "2025-06-24T09:51:37.885487+00:00", "vendors": ["geoserver", "geoserver$PRODUCT$geoserver"]}