CVE-2025-30145
GeoServer Infinite Loop Vulnerability in Jiffle process
Description
### Summary Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. ### Details The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations. ### Impact This vulnerability allows attackers to conduct denial-of-service attacks. ### Mitigation This vulnerability can be mitigated by disabling WMS dynamic styling (see [WMS Settings](https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#disabling-usage-of-dynamic-styling-in-getmap-getfeatureinfo-and-getlegendgraphic-requests)). If the WPS extension is installed, the Jiffle process must also be disabled to mitigate this vulnerability (see [WPS Settings](https://docs.geoserver.org/latest/en/user/services/wps/security.html#input-limits)) ### References https://github.com/geosolutions-it/jai-ext/pull/307 https://osgeo-org.atlassian.net/browse/GEOS-11778
How to fix CVE-2025-30145
To remediate CVE-2025-30145, upgrade the affected package to a fixed version below.
- —upgrade to 2.26.3 or later
- —upgrade to 2.26.3 or later
- —upgrade to 2.26.3 or later
Is CVE-2025-30145 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- >= 2.26.0, < 2.26.3