CVE-2025-41076 in LimeSurvey
Summary
by MITRE • 11/20/2025
In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/22/2025
This vulnerability in LimeSurvey version 6.13.0 represents a critical information disclosure flaw that exposes sensitive system internals through improper error handling mechanisms. The issue occurs when external users manipulate session cookies in ways that trigger internal server errors, specifically a 500 error response. The application's failure to implement proper error sanitization allows attackers to gain insights into the underlying technical infrastructure, creating a significant reconnaissance opportunity for malicious actors.
The technical exploitation involves sending malformed session cookies that cause the system to generate internal error responses rather than gracefully handling the invalid input. This design flaw enables attackers to discover critical information including the Yii framework version, database engine details, and specific table structures such as 'lime_sessions' with their primary key configurations. The exposure of these technical details through error messages constitutes a direct violation of secure coding practices and information hiding principles.
From an operational perspective, this vulnerability significantly weakens the security posture of LimeSurvey installations by providing attackers with detailed architectural information that can be leveraged for subsequent exploitation attempts. The disclosure of database schema elements and framework specifics enables attackers to craft more targeted attacks, potentially leading to session hijacking, SQL injection exploitation, or other advanced persistent threats. This information exposure aligns with CWE-209, which addresses the disclosure of error information, and represents a clear violation of the principle of least privilege in error handling.
The impact extends beyond immediate reconnaissance as attackers can use the gathered information to identify potential attack vectors and refine their exploitation strategies. The exposure of primary key structures and database table names provides insights into data relationships that could be exploited for unauthorized data access or manipulation. This vulnerability demonstrates poor input validation and error handling practices that contradict established security frameworks and industry standards for web application development.
Security mitigations should focus on implementing proper error handling mechanisms that prevent information disclosure, including the use of generic error messages, comprehensive input validation for session cookies, and proper sanitization of error responses. Organizations should also consider implementing web application firewalls to detect and block malformed cookie patterns, while ensuring that all error handling follows security best practices. The vulnerability highlights the importance of adhering to secure coding guidelines and implementing defense-in-depth strategies to prevent information leakage through error responses. Regular security assessments and code reviews should be conducted to identify similar issues in other components of the application stack.