CVE-2025-41076: 
NixOS vulnerability analysis and mitigation

In version 6.13.0 of LimeSurvey, a vulnerability has been identified that allows any external user to expose sensitive system information through error messages. The vulnerability (CVE-2025-41076) was discovered and reported through the Spanish National Cybersecurity Institute (INCIBE) on November 20, 2025. The affected software is LimeSurvey version 6.13.0, a widely-used online survey application (INCIBE Advisory).

The vulnerability occurs when a malformed session cookie is sent to the survey system, triggering a 500 error response. Instead of returning a generic error message, the system inadvertently exposes internal backend information, including details about the Yii framework implementation, MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, and is classified as CWE-209 (Generation of Error Message Containing Sensitive Information) (INCIBE Advisory).

The exposure of sensitive backend information can aid attackers in gathering intelligence about the internal architecture of the application. This information disclosure could potentially simplify further targeted attacks by providing insights into the system's structure, database schema, and technology stack (INCIBE Advisory).

The vulnerability has been fixed in LimeSurvey version 6.15.0. Users are advised to upgrade to this version to mitigate the risk (INCIBE Advisory).