CVE-2025-41074: 
NixOS vulnerability analysis and mitigation

A vulnerability has been identified in LimeSurvey version 6.13.0, tracked as CVE-2025-41074, which was discovered and reported by Julen Garrido Estevez. The vulnerability affects the /optout endpoint, causing infinite HTTP redirects when accessed directly. This vulnerability was disclosed on November 20, 2025, and has been assigned a CVSS v4.0 base score of 6.9 (Medium) and CVSS v3.1 score of 7.5 (High) (INCIBE Advisory, NVD).

The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop'). When the /optout endpoint is accessed directly, it triggers an infinite HTTP redirect loop. The system is unable to break this redirect loop, leading to resource exhaustion. The vulnerability has been assigned CVSS v4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N and CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can be exploited to generate a Denial of Service (DoS) attack by exhausting server or client resources. The infinite redirect loop can cause service degradation and browser instability, affecting the availability of the LimeSurvey application (INCIBE Advisory).

The vulnerability has been fixed in LimeSurvey version 6.15.0. Users are advised to upgrade to this version to mitigate the security risk (INCIBE Advisory).