CVE-2025-1695: 
NGINX vulnerability analysis and mitigation

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability, identified as CVE-2025-1695, was discovered and disclosed on March 3, 2025. The vulnerability affects NGINX Unit versions from 1.29.1 up to (but not including) 1.34.2 (NVD).

The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop'). It has received a CVSS v4.0 base score of 6.9 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). The issue affects only the data plane, with no control plane exposure. The primary impact is an increase in CPU resource utilization due to the infinite loop condition (NVD).

The vulnerability has been fixed in NGINX Unit version 1.34.2. Users are advised to upgrade to this version or later to mitigate the issue. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated (NVD).