CVE-2025-1695 Overview
CVE-2025-1695 is a denial-of-service vulnerability affecting F5 NGINX Unit versions prior to 1.34.2 when the Java Language Module is in use. Specially crafted requests trigger an infinite loop in the data plane, causing sustained CPU resource exhaustion on the affected worker process. A remote, unauthenticated attacker can exploit this flaw across the network to degrade service availability. The issue is scoped to the data plane and does not expose the control plane. F5 published advisory K000149959 covering the affected versions and remediation. The vulnerability is tracked as CWE-835: Loop with Unreachable Exit Condition.
Critical Impact
Remote unauthenticated attackers can trigger sustained CPU exhaustion in NGINX Unit deployments running the Java Language Module, leading to limited denial-of-service against application workloads.
Affected Products
- F5 NGINX Unit versions prior to 1.34.2
- Deployments using the Java Language Module
- Software versions past End of Technical Support (EoTS) are not evaluated
Discovery Timeline
- 2025-03-04 - CVE-2025-1695 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-1695
Vulnerability Analysis
The vulnerability resides in the Java Language Module of NGINX Unit, which executes Java applications under the Unit application server. When the module processes certain undisclosed request inputs, control flow enters a code path where the loop exit condition is never satisfied. The affected worker process then consumes CPU cycles indefinitely while servicing the malformed request.
This behavior matches the pattern described by CWE-835, where a loop contains a condition that can never become false. Because NGINX Unit dispatches requests to language-specific application processes, a stuck worker reduces overall request capacity. Sustained or repeated triggering degrades application throughput and increases response latency for legitimate clients.
The scope is limited to the data plane. The control plane API used to configure Unit is not exposed to this condition. Confidentiality and integrity are not affected, and availability impact is bounded to CPU degradation rather than full process termination.
Root Cause
The root cause is improper loop termination logic within the Java Language Module request handling path. Specific request inputs reach a branch where the condition guarding loop exit is never met, producing the infinite loop. F5 addressed the defect in NGINX Unit 1.34.2.
Attack Vector
Exploitation requires only network access to a vulnerable NGINX Unit listener that routes traffic to a Java application. No authentication or user interaction is required. The attacker sends crafted HTTP requests to the data plane endpoint exposed by Unit. Each successful request pins a worker into a CPU-bound loop, and repeated requests amplify the resource exhaustion effect.
No public proof-of-concept exploit, exploit database entry, or CISA KEV listing exists for this CVE at the time of writing. Refer to the F5 Security Advisory K000149959 for vendor-supplied technical details.
Detection Methods for CVE-2025-1695
Indicators of Compromise
- Sustained high CPU utilization in NGINX Unit Java worker processes (unitd Java application children) without a corresponding increase in legitimate request volume
- Long-running or never-completing HTTP requests targeting Java application routes configured in Unit
- Increased request latency or HTTP 5xx responses from upstream Unit listeners during anomalous traffic patterns
Detection Strategies
- Monitor per-process CPU time for NGINX Unit Java workers and alert when usage stays above baseline for extended intervals
- Correlate slow or hanging requests in access logs with worker CPU spikes to identify request patterns that trigger the loop
- Inspect HTTP request bodies and headers reaching the Java Language Module for anomalous structures preceding worker degradation
Monitoring Recommendations
- Track NGINX Unit version inventory and flag any host running a release earlier than 1.34.2 with the Java module enabled
- Enable resource limit telemetry (cgroups, container CPU quotas) on hosts running Unit to detect runaway worker consumption
- Forward Unit access and error logs to a centralized log platform for correlation with host-level CPU metrics
How to Mitigate CVE-2025-1695
Immediate Actions Required
- Upgrade NGINX Unit to version 1.34.2 or later on all hosts running the Java Language Module
- Inventory all Unit deployments and identify configurations that load the Java application language module
- Restrict network exposure of Unit data plane listeners to trusted networks where feasible while patching is in progress
Patch Information
F5 fixed the vulnerability in NGINX Unit 1.34.2. Apply the upgrade per the guidance in F5 Security Advisory K000149959. Versions that have reached End of Technical Support are not evaluated and should be migrated to a supported release.
Workarounds
- Disable the Java Language Module if Java applications are not required on the affected Unit instance
- Place a rate-limiting reverse proxy or web application firewall in front of Unit to throttle abusive request patterns
- Apply CPU quotas via cgroups or container runtime limits to contain the impact of a stuck worker process
# Verify installed NGINX Unit version and upgrade on Debian/Ubuntu
unitd --version
sudo apt-get update
sudo apt-get install --only-upgrade unit unit-jsc-common unit-jsc17
sudo systemctl restart unit
unitd --version # confirm 1.34.2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
