CVE-2025-27497: 
Java vulnerability analysis and mitigation

OpenDJ, an LDAPv3 compliant directory service, contains a denial-of-service (DoS) vulnerability in versions prior to 4.9.3. The vulnerability was discovered on March 5, 2025, and assigned CVE-2025-27497. The issue causes the server to become unresponsive to all LDAP requests without crashing or restarting when an alias loop exists in the LDAP database (NVD, GitHub Advisory).

The vulnerability is triggered when an ldapsearch request is executed with alias dereferencing set to "always" on an alias entry that contains a loop. The issue stems from improper handling of alias dereferencing recursion, which can lead to an infinite loop condition (CWE-835). The vulnerability has received a CVSS 4.0 Base Score of 8.7 HIGH (Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) (NVD).

When exploited, the vulnerability causes the OpenDJ server to become completely unresponsive to all LDAP requests. While the server does not crash or restart, it remains unavailable until manually restarted. Fortunately, the server can be restarted without any data corruption (GitHub Advisory).

The vulnerability has been fixed in OpenDJ version 4.9.3. Users are strongly recommended to upgrade to this version to address the issue. The fix includes implementation of proper detection and handling of alias dereferencing recursion (GitHub Commit).