CVE-2025-1695 MEDIUM

CVE-2025-1695: NGINX Unit Java Vulnerability

Vendor F5

Product NGINX Unit

Weakness CWE-835

Published March 4, 2025

Last update March 4, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

Description

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS). There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Key dates

Disclosure timeline

March 4, 2025 CVE published

March 4, 2025 Record updated

Identifiers

CVE CVE-2025-1695

CWE CWE-835

CVSS 5.3 / MEDIUM

Affected versions

Vendor F5

Product NGINX Unit

Affected ≥ 1.11.0 and < 1.34.2

Vendor F5

Product NGINX Unit

Affected < d7afeb2b94f1cd72ed02403609e5484f9514e5eb