CVE-2025-41076
📋 TL;DR
This vulnerability allows external users to trigger a 500 error in LimeSurvey by sending malformed session cookies, which exposes sensitive internal system information instead of showing a generic error. The leaked information includes framework details, database engine, table names, and primary keys, which could aid attackers in reconnaissance. All LimeSurvey 6.13.0 installations with internet exposure are affected.
💻 Affected Systems
- LimeSurvey
📦 What is this software?
Limesurvey by Limesurvey
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the exposed internal architecture information to plan more sophisticated attacks, potentially leading to database compromise or privilege escalation.
Likely Case
Information disclosure that simplifies reconnaissance for attackers, making subsequent attacks easier to execute.
If Mitigated
Limited to information disclosure without direct system compromise if proper error handling is implemented.
🎯 Exploit Status
Exploitation requires sending malformed session cookies to trigger the error condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.13.1 or later
Vendor Advisory: https://www.limesurvey.org/security/
Restart Required: Yes
Instructions:
1. Backup your LimeSurvey installation and database. 2. Download the latest version from the official LimeSurvey website. 3. Replace the existing installation files with the updated version. 4. Run any database update scripts if provided. 5. Restart the web server service.
🔧 Temporary Workarounds
Implement Custom Error Handling
allConfigure the web server or application to return generic error pages instead of detailed error messages.
# For Apache: Set ErrorDocument 500 /error.html
# For Nginx: error_page 500 /error.html;
Web Application Firewall Rule
allBlock requests with malformed session cookies using WAF rules.
# Example ModSecurity rule: SecRule REQUEST_COOKIES "@rx malformed_pattern" "id:1001,phase:1,deny"
🧯 If You Can't Patch
- Implement a web application firewall (WAF) to filter malformed session cookies.
- Monitor and block IP addresses that trigger 500 errors with suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check if LimeSurvey version is 6.13.0 by reviewing the version file or admin panel.Check Version:
grep -r 'version' /path/to/limesurvey/ | grep -i '6.13.0'Verify Fix Applied:
Verify the version is updated to 6.13.1 or later and test by sending a malformed session cookie to confirm generic error response.📡 Detection & Monitoring
Log Indicators:
- 500 error responses in web server logs with detailed error messages containing 'Yii', 'MySQL', 'lime_sessions'
Network Indicators:
- HTTP 500 responses with internal framework details in the body
SIEM Query:
source="web_logs" status=500 AND (message="*Yii*" OR message="*MySQL*" OR message="*lime_sessions*")