GHSA-v92f-jx6p-73rx
GitHub Security Advisory
Improper Control of Generation of Code ('Code Injection') in jai-ext
✓ GitHub Reviewed
CRITICAL
Has CVE
Advisory Details
### Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.
### Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.
### Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
### References
None.
Affected Packages
Maven
it.geosolutions.jaiext.jiffle:jt-jiffle
Affected versions:
0
(fixed in 1.1.22)
Maven
it.geosolutions.jaiext.jiffle:jt-jiffle-language
Affected versions:
0
(fixed in 1.1.22)
Related CVEs
Key Information
9.0
/10
Dataset
Last updated: July 28, 2025 6:37 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.