CVE-2025-41074 – This vulnerability in LimeSurvey's /optout endp... (How to Fix)

Q: What is the severity of CVE-2025-41074?

CVE-2025-41074 has a CVSS score of 7.5 (HIGH). This vulnerability in LimeSurvey's /optout endpoint causes infinite HTTP redirects when accessed directly, creating a denial-of-service condition. Attackers can exploit this to exhaust server resources or crash client browsers, affecting all LimeSurvey 6.13.0 installations with the vulnerable endpoint exposed.

📋 TL;DR

This vulnerability in LimeSurvey's /optout endpoint causes infinite HTTP redirects when accessed directly, creating a denial-of-service condition. Attackers can exploit this to exhaust server resources or crash client browsers, affecting all LimeSurvey 6.13.0 installations with the vulnerable endpoint exposed.

💻 Affected Systems

Products:

LimeSurvey

Versions: 6.13.0

Operating Systems: All platforms running LimeSurvey

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the /optout endpoint accessible. The vulnerability is present in the default configuration.

📦 What is this software?

Limesurvey by Limesurvey

View all CVEs affecting Limesurvey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to server resource exhaustion, potentially affecting all users of the LimeSurvey instance and causing browser crashes for clients.

🟠

Likely Case

Service degradation with increased server load and potential browser instability for users accessing the vulnerable endpoint.

🟢

If Mitigated

Minimal impact if endpoint is blocked or patched, though some performance degradation may occur during attack attempts.

🌐 Internet-Facing: HIGH - The /optout endpoint is typically accessible without authentication, making internet-facing instances highly vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to disrupt services, though attack surface is more limited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable endpoint, making it trivial to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.13.1 or later

Vendor Advisory: https://www.limesurvey.org/security/

Restart Required: No

Instructions:

1. Backup your LimeSurvey installation and database. 2. Download the latest version from the official LimeSurvey website. 3. Replace the affected files with the patched version. 4. Clear any caches if applicable.

🔧 Temporary Workarounds

Block /optout endpoint

all

Use web server configuration to block access to the vulnerable /optout endpoint

# For Apache: RewriteRule ^/optout - [F]
# For Nginx: location ~ ^/optout { return 403; }

🧯 If You Can't Patch

Implement rate limiting on the /optout endpoint to prevent DoS amplification
Use a WAF to detect and block infinite redirect patterns

🔍 How to Verify

Check if Vulnerable:

Access https://your-limesurvey-instance/optout directly and check if it causes infinite redirects or returns an error

Check Version:

Check the version.php file or admin dashboard for LimeSurvey version

Verify Fix Applied:

After patching, access the /optout endpoint and verify it no longer causes redirect loops

📡 Detection & Monitoring

Log Indicators:

High frequency of 3xx redirect responses from /optout endpoint
Increased server load without corresponding legitimate traffic

Network Indicators:

Excessive HTTP redirect chains originating from single IP addresses
Unusual traffic patterns to /optout endpoint

SIEM Query:

source="web_server" (url="/optout" AND status_code=3*) | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-41074

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.06% exploit probability (18.6th percentile)

Published: November 20, 2025

Last Updated: November 21, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-41074, you might also want to check these: