ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`\r`) or LF (`\n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.
Metrics
Affected Vendors & Products
References
History
Fri, 27 Jun 2025 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 27 Jun 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`\r`) or LF (`\n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9. | |
Title | ESPAsyncWebServer Vulnerable to CRLF Injection in AsyncWebHeader.cpp | |
Weaknesses | CWE-113 CWE-93 |
|
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-06-27T19:57:15.032Z
Updated: 2025-06-27T20:19:14.457Z
Reserved: 2025-06-25T13:41:23.086Z
Link: CVE-2025-53094

Updated: 2025-06-27T20:19:04.852Z

Status : Awaiting Analysis
Published: 2025-06-27T20:15:35.173
Modified: 2025-06-30T18:38:23.493
Link: CVE-2025-53094

No data.