CVE-2025-41074 — Multiple vulnerabilities in Limesurvey

Description

Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability.

How to fix CVE-2025-41074

To remediate CVE-2025-41074, upgrade the affected package to a fixed version below.

Bitnami/limesurvey—upgrade to 6.15.5 or later

Is CVE-2025-41074 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.13.0, < 6.15.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References (2)

WEBnvd.nist.gov/vuln/detail/CVE-2025-41074
WEBwww.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0