CVE-2025-41375 – A SQL injection vulnerability in LimeSurvey v2.... (How to Fix)

Q: What is the severity of CVE-2025-41375?

CVE-2025-41375 has a CVSS score of 9.8 (CRITICAL). A SQL injection vulnerability in LimeSurvey v2.65.1+170522 allows attackers to manipulate database queries via the 'token' parameter in the '/index.php' endpoint. This enables unauthorized database access including data retrieval, modification, and deletion. All systems running the affected LimeSurvey version are vulnerable.

📋 TL;DR

A SQL injection vulnerability in LimeSurvey v2.65.1+170522 allows attackers to manipulate database queries via the 'token' parameter in the '/index.php' endpoint. This enables unauthorized database access including data retrieval, modification, and deletion. All systems running the affected LimeSurvey version are vulnerable.

💻 Affected Systems

Products:

LimeSurvey

Versions: v2.65.1+170522

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of the affected version are vulnerable regardless of configuration.

📦 What is this software?

Limesurvey by Limesurvey

View all CVEs affecting Limesurvey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data exfiltration, administrative account takeover, and potential server-side code execution leading to full system control.

🟠

Likely Case

Unauthorized access to survey data, user information, and configuration settings, potentially leading to data theft or manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially preventing data modification but not necessarily preventing data leakage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via URL parameter is typically easy to exploit with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check LimeSurvey security advisories for patched version

Vendor Advisory: https://www.limesurvey.org/security/

Restart Required: No

Instructions:

1. Backup database and application files. 2. Update to latest patched version via LimeSurvey update mechanism. 3. Verify update completed successfully. 4. Test application functionality.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns in the token parameter

Input Validation Filter

all

Implement custom input validation to sanitize token parameter before processing

🧯 If You Can't Patch

Restrict network access to only trusted IP addresses
Implement database-level permissions to limit damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check LimeSurvey version in administration panel or via version.php file

Check Version:

Check LimeSurvey admin panel or examine /application/config/version.php

Verify Fix Applied:

Verify version is updated beyond v2.65.1+170522 and test token parameter with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts with SQL syntax in parameters
Unexpected database schema changes

Network Indicators:

HTTP requests with SQL syntax in token parameter
Unusual database connection patterns from web server

SIEM Query:

web.url:*token=* AND (web.url:*UNION* OR web.url:*SELECT* OR web.url:*INSERT* OR web.url:*DELETE*)

📊 Metadata

CVE ID: CVE-2025-41375

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: August 1, 2025

Last Updated: January 30, 2026

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-41375, you might also want to check these: