CVE-2025-41075: 
NixOS vulnerability analysis and mitigation

A vulnerability has been identified in LimeSurvey version 6.13.0, specifically in the endpoint /optin that causes infinite HTTP redirects when accessed directly. The vulnerability was discovered and reported by Julen Garrido Estevez, and was assigned CVE-2025-41075. The issue was publicly disclosed on November 20, 2025, and has been assigned a CVSS v4.0 base score of 6.9 (MEDIUM) (INCIBE Advisory).

The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop'). When the /optin endpoint is accessed directly, it triggers an infinite HTTP redirect loop. The CVSS v3.1 base score is 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while the CVSS v4.0 score is 6.9 (MEDIUM) with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (NVD Database).

The vulnerability can be exploited to generate a Denial of Service (DoS) attack by exhausting server or client resources. The system is unable to break the redirect loop, which can result in service degradation or browser instability (INCIBE Advisory).

The vulnerability has been fixed by the LimeSurvey team in version 6.15.0. Users are advised to upgrade to this version to mitigate the security risk (INCIBE Advisory).