Home > Vulnerability Database > CVE-2025-53094

Mend.io Vulnerability Database

CVE-2025-53094

Good to know:

Date: June 27, 2025

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within "AsyncWebHeader.cpp". Unsanitized input allows attackers to inject CR ("\r") or LF ("\n") characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-53094

Url: https://github.com/ESP32Async/ESPAsyncWebServer/security/advisories/GHSA-87j8-6f7g-h8wh

Url: https://github.com/ESP32Async/ESPAsyncWebServer/blob/1095dfd1ecf1a903aede29854232af1b24f089b1/src/AsyncWebHeader.cpp#L6-L32

Url: https://github.com/ESP32Async/ESPAsyncWebServer/pull/211

Url: https://www.mend.io/vulnerability-database/CVE-2025-53094

Severity Score

7.5

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-113

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-93

Top Fix

Upgrade Version

Upgrade to version https://github.com/ESP32Async/ESPAsyncWebServer.git - null

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-53094

Good to know:

Date: June 27, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?