CVE-2025-1695 – This vulnerability in NGINX Unit with the Java ... (How to Fix)

Q: What is the severity of CVE-2025-1695?

CVE-2025-1695 has a CVSS score of 5.3 (MEDIUM). This vulnerability in NGINX Unit with the Java Language Module allows remote attackers to send specific requests that trigger an infinite loop, causing high CPU usage and potential denial-of-service. It affects NGINX Unit versions before 1.34.2 when the Java module is enabled. Only the data plane is exposed, not the control plane.

📋 TL;DR

This vulnerability in NGINX Unit with the Java Language Module allows remote attackers to send specific requests that trigger an infinite loop, causing high CPU usage and potential denial-of-service. It affects NGINX Unit versions before 1.34.2 when the Java module is enabled. Only the data plane is exposed, not the control plane.

💻 Affected Systems

Products:

NGINX Unit

Versions: All versions before 1.34.2

Operating Systems: All platforms running NGINX Unit

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Java Language Module is enabled and in use.

📦 What is this software?

Nginx Unit by F5

View all CVEs affecting Nginx Unit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service degradation due to CPU exhaustion, making the application unavailable to legitimate users.

🟠

Likely Case

Performance degradation and intermittent service disruptions under sustained attack.

🟢

If Mitigated

Minimal impact with proper monitoring and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specific requests to the Java module endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.34.2

Vendor Advisory: https://my.f5.com/manage/s/article/K000149959

Restart Required: Yes

Instructions:

1. Download NGINX Unit 1.34.2 or later from official sources. 2. Stop the NGINX Unit service. 3. Install the updated version. 4. Restart the NGINX Unit service.

🔧 Temporary Workarounds

Disable Java Module

all

Temporarily disable the Java Language Module if not required

Edit NGINX Unit configuration to remove or disable Java module settings
Restart NGINX Unit service

Implement Rate Limiting

all

Configure rate limiting at network or application level to limit request frequency

Configure rate limiting in NGINX Unit or upstream proxy

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Java module endpoints
Deploy monitoring and alerting for abnormal CPU usage patterns

🔍 How to Verify

Check if Vulnerable:

Check if NGINX Unit version is below 1.34.2 and Java module is enabled in configuration

Check Version:

unitd --version

Verify Fix Applied:

Verify NGINX Unit version is 1.34.2 or higher and test Java module functionality

📡 Detection & Monitoring

Log Indicators:

Unusually high number of requests to Java endpoints
Extended request processing times

Network Indicators:

Sustained high-volume traffic to Java module ports
Abnormal request patterns to Java endpoints

SIEM Query:

source="nginx-unit" AND (message="*java*" OR message="*high cpu*")

📊 Metadata

CVE ID: CVE-2025-1695

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-835

EPSS Score: 0.05% exploit probability (16.3th percentile)

Published: March 4, 2025

Last Updated: November 3, 2025

🔗 References

https://my.f5.com/manage/s/article/K000149959 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1695, you might also want to check these: