CVE-2025-1695

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://my.f5.com/manage/s/article/K000149959	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*

History

05 Mar 2025, 15:18

Type	Values Removed	Values Added
First Time		F5 nginx F5
References	~~() https://my.f5.com/manage/s/article/K000149959 -~~	() https://my.f5.com/manage/s/article/K000149959 - Vendor Advisory
CPE		cpe:2.3:a:f5:nginx::::::::
Summary		(es) En NGINX Unit anterior a la versión 1.34.2 con el módulo de lenguaje Java en uso, las solicitudes no reveladas pueden generar un bucle infinito y provocar un aumento en la utilización de los recursos de la CPU. Esta vulnerabilidad permite que un atacante remoto provoque una degradación que puede provocar una denegación de servicio (DoS) limitada. No hay exposición del plano de control; se trata únicamente de un problema del plano de datos. Nota: Las versiones de software que han llegado al final del soporte técnico (EoTS) no se evalúan.

04 Mar 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-04 01:15

Updated : 2025-03-05 15:18

NVD link : CVE-2025-1695

Mitre link : CVE-2025-1695

CVE.ORG link : CVE-2025-1695

JSON object : View

Products Affected

f5

nginx

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

{"id": "CVE-2025-1695", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "f5sirt@f5.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "f5sirt@f5.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-04T01:15:10.063", "references": [{"url": "https://my.f5.com/manage/s/article/K000149959", "tags": ["Vendor Advisory"], "source": "f5sirt@f5.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "f5sirt@f5.com", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). \u00a0There is no control plane exposure; this is a data plane issue only. \u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "En NGINX Unit anterior a la versi\u00f3n 1.34.2 con el m\u00f3dulo de lenguaje Java en uso, las solicitudes no reveladas pueden generar un bucle infinito y provocar un aumento en la utilizaci\u00f3n de los recursos de la CPU. Esta vulnerabilidad permite que un atacante remoto provoque una degradaci\u00f3n que puede provocar una denegaci\u00f3n de servicio (DoS) limitada. No hay exposici\u00f3n del plano de control; se trata \u00fanicamente de un problema del plano de datos. Nota: Las versiones de software que han llegado al final del soporte t\u00e9cnico (EoTS) no se eval\u00faan."}], "lastModified": "2025-03-05T15:18:38.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C948A6A6-5CA3-47D1-8A7F-7245C1160D14", "versionEndExcluding": "1.34.2", "versionStartIncluding": "1.29.1"}], "operator": "OR"}]}], "sourceIdentifier": "f5sirt@f5.com"}