CVE-2025-41075 Overview
CVE-2025-41075 is a Denial of Service (DoS) vulnerability affecting LimeSurvey version 6.13.0. The vulnerability exists in the /optin endpoint, which triggers infinite HTTP redirects when accessed directly. This behavior can be exploited to exhaust server or client resources, causing service degradation or browser instability. The system is unable to break the redirect loop, making it a reliable vector for disruption attacks against LimeSurvey installations.
Critical Impact
Attackers can exploit the infinite redirect loop to cause resource exhaustion on both server and client sides, leading to service unavailability and potential browser crashes for users attempting to access the affected endpoint.
Affected Products
- LimeSurvey 6.13.0
Discovery Timeline
- November 20, 2025 - CVE-2025-41075 published to NVD
- November 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-41075
Vulnerability Analysis
This vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The /optin endpoint in LimeSurvey 6.13.0 contains flawed redirect logic that creates a self-referencing redirect chain when the endpoint is accessed directly without proper context or parameters.
The attack can be executed remotely over the network without any authentication or user interaction required. The primary impact is on system availability, as the infinite redirect loop consumes server resources handling continuous redirect responses and can overwhelm client browsers attempting to follow the redirect chain.
Root Cause
The root cause is improper redirect handling within the /optin endpoint. When this endpoint receives a request without the expected parameters or session context, instead of returning an appropriate error response or redirecting to a valid destination, it redirects back to itself. This creates an endless loop where each redirect response points back to the same endpoint, triggering another redirect.
The application lacks proper exit conditions or redirect cycle detection that would normally prevent such infinite loops. This oversight in the redirect logic allows the vulnerability to be triggered consistently.
Attack Vector
The attack is network-based and requires no authentication or special privileges. An attacker can exploit this vulnerability by:
- Sending HTTP requests directly to the /optin endpoint on a vulnerable LimeSurvey installation
- The server responds with a redirect pointing back to the same endpoint
- Each subsequent request triggers another redirect, creating an infinite loop
- Server resources are consumed handling the continuous redirect responses
- If a browser follows the redirects, client-side resources are also exhausted
This can be amplified by sending multiple concurrent requests to the vulnerable endpoint, potentially overwhelming the server's capacity to handle legitimate traffic.
Detection Methods for CVE-2025-41075
Indicators of Compromise
- Unusual spike in HTTP 3xx redirect responses from the LimeSurvey server
- High volume of requests to the /optin endpoint in web server access logs
- Client-side reports of browser hangs or crashes when accessing LimeSurvey
- Elevated server CPU or memory utilization without corresponding legitimate traffic increase
Detection Strategies
- Monitor web application firewall (WAF) logs for repeated requests to /optin from single sources
- Implement rate limiting on the /optin endpoint to detect and throttle abuse attempts
- Configure alerting for HTTP redirect loops detected in server response patterns
- Review access logs for patterns of rapid, repeated requests to the same endpoint
Monitoring Recommendations
- Set up real-time monitoring for unusual redirect response patterns in LimeSurvey
- Configure network monitoring tools to alert on high-frequency requests to /optin
- Implement server health monitoring to detect resource exhaustion symptoms
- Enable detailed logging for the /optin endpoint to support incident investigation
How to Mitigate CVE-2025-41075
Immediate Actions Required
- Upgrade LimeSurvey to a patched version once available from the vendor
- Implement rate limiting on the /optin endpoint at the web server or WAF level
- Consider temporarily restricting access to the /optin endpoint if not operationally required
- Monitor server resources and implement automatic scaling or circuit breakers where possible
Patch Information
No official vendor patch has been confirmed at this time. Organizations should monitor the INCIBE Security Notice and official LimeSurvey security channels for patch availability. Once a patch is released, prioritize testing and deployment based on your organization's exposure.
Workarounds
- Implement rate limiting at the reverse proxy or load balancer level for requests to /optin
- Configure web server rules to detect and block redirect loops targeting the vulnerable endpoint
- Deploy a WAF rule to limit the number of requests from a single source to /optin within a time window
- Consider IP-based access restrictions if the opt-in functionality is only needed from specific networks
# Example Nginx rate limiting configuration for the /optin endpoint
# Add to your LimeSurvey server block configuration
limit_req_zone $binary_remote_addr zone=optin_limit:10m rate=5r/s;
location /optin {
limit_req zone=optin_limit burst=10 nodelay;
limit_req_status 429;
# Continue with normal proxy/fastcgi configuration
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
