SB2026050561 - Multiple vulnerabilities in geoserver

Description

This security bulletin contains information about 4 vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2025-30145)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to loop with unreachable exit condition in the Jiffle process when executing malicious Jiffle scripts through WMS dynamic styles or as a WPS process. A remote attacker can submit a specially crafted Jiffle script to cause a denial of service.

2) XML External Entity injection (CVE-ID: CVE-2025-30220)

The vulnerability allows a remote attacker to disclose sensitive information and perform server-side request forgery.

The vulnerability exists due to improper restriction of xml external entity reference in the WFS service XSD schema handling when parsing XML requests. A remote attacker can send a specially crafted XML request to disclose sensitive information and perform server-side request forgery.

The issue bypasses the standard entity resolver and can trigger parsing of external DTDs and entities.

3) Missing Authorization (CVE-ID: CVE-2025-27505)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to missing authorization in the REST API index when handling requests to extension-suffixed REST paths such as rest.html. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue can reveal whether certain extensions are installed.

4) Information disclosure (CVE-ID: CVE-2024-38524)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the GeoWebCache home page when handling requests to the front page endpoint. A remote attacker can send a request to the GeoWebCache home page to disclose sensitive information.

The exposed information may include version and revision details, configuration file and storage locations, the system temp directory location, operating system hints, approximate server start time, and basic GeoWebCache usage information.

Remediation

Install update from vendor's website.

References

• https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf
• https://github.com/geosolutions-it/jai-ext/pull/307
• https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc
• https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5
• https://github.com/geoserver/geoserver/pull/8170
• https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f
• https://github.com/geoserver/geoserver/pull/8189