CVE-2025-27497: OpenDJ Denial of Service (DoS) using alias loop

March 5, 2025

A denial-of-service (DoS) vulnerability in OpenDJ has been discovered that causes the server to become unresponsive to all LDAP requests without crashing or restarting. This issue occurs when an alias loop exists in the LDAP database. If an ldapsearch request is executed with alias dereferencing set to “always” on this alias entry, the server stops responding to all future requests. I have confirmed this issue using the latest OpenDJ version (9.2), both with the official OpenDJ Docker image and a local OpenDJ server running on my Windows 10 machine.

References

github.com/OpenIdentityPlatform/OpenDJ
github.com/OpenIdentityPlatform/OpenDJ/commit/08aee4724608e4a32baa3c7d7499ec913a275aaf
github.com/OpenIdentityPlatform/OpenDJ/security/advisories/GHSA-93qr-h8pr-4593
github.com/advisories/GHSA-93qr-h8pr-4593
nvd.nist.gov/vuln/detail/CVE-2025-27497

Detect and mitigate CVE-2025-27497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →