Primary

Context

GeoServer Denial-of-Service Vulnerability in Jiffle Processing

Vulnerability

Patched

A denial-of-service vulnerability has been identified in GeoServer versions prior to 2.27.0, as well as in 2.26.0 through 2.26.2 and 2.25.6 and earlier. This issue arises from the execution of malicious Jiffle scripts, which can be introduced either as rendering transformations in WMS dynamic styles or as WPS processes. The vulnerability allows these scripts to enter infinite loops, causing significant disruption by overloading the server.

Impact

Exploitation of this vulnerability leads to denial-of-service conditions, causing the server to become unresponsive or excessively slow.

Remediation

Users can upgrade to GeoServer versions 2.27.0, 2.26.3, or 2.25.7 to address this vulnerability. Additionally, WMS dynamic styling can be disabled, and if the WPS extension is installed, the Jiffle process should also be turned off.

Added: Jun 10, 2025, 4:47 PM

Updated: Jun 10, 2025, 4:47 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

8.1

remediation

7.9

relevance

0.2

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

8.1

remediation

7.9

relevance

0.2

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GeoServer Denial-of-Service Vulnerability in Jiffle Processing

Vulnerability

Impact

Remediation

Affected Products

GeoServer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating