CVE-2025-52892
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7.
Analysis
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical Context
This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7. Affected products include: Espocrm. Version information: version 9.1.7..
Affected Products
Espocrm.
Remediation
A vendor patch is available. Apply the latest security update as soon as possible. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today