CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1695: NGINX Unit Java Vulnerability

5.3 CVSS

Description

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS).  There is no control plane exposure; this is a data plane issue only.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Classification

CVE ID: CVE-2025-1695

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem Types

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

Affected Products

Vendor: F5

Product: NGINX Unit

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.29% (probability of being exploited)

EPSS Percentile: 49.64% (scored less or equal to compared to others)

EPSS Date: 2025-04-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1695
https://my.f5.com/manage/s/article/K000149959

Timeline