CVE-2025-53094 HIGH

CVE-2025-53094: ESPAsyncWebServer Vulnerable to CRLF Injection in AsyncWebHeader.cpp

Vendor Esp32Async
Product ESPAsyncWebServer
Weakness CWE-93 · CRLF injection
Published June 27, 2025
Last update June 27, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`\r`) or LF (`\n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

Key dates

02Disclosure timeline

June 27, 2025 CVE published
June 27, 2025 Record updated