NGINX Unit (<1.34.2) Java Module: Infinite Loop CPU DoS
CVE-2025-1695 Published on March 4, 2025
NGINX Unit Java Vulnerability
In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Vulnerability Analysis
CVE-2025-1695 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
What is an Infinite Loop Vulnerability?
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.
CVE-2025-1695 has been classified to as an Infinite Loop vulnerability or weakness.
Products Associated with CVE-2025-1695
Want to know whenever a new CVE is published for F5 Networks Nginx? stack.watch will email you.
Affected Versions
F5 NGINX Unit:- Version 1.11.0 and below 1.34.2 is affected.
- Version * and below d7afeb2b94f1cd72ed02403609e5484f9514e5eb is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.