What is the CVSS score of CVE-2025-52892?

CVE-2025-52892 has a CVSS 3.1 base score of 4.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Espocrm are affected by CVE-2025-52892?

Organizations using PHP. In should be aware of moderate risk from CVE-2025-52892 rated CVSS 4.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-52892?

Yes, a public proof-of-concept exploit is available for CVE-2025-52892. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-52892?

During next maintenance window: Identify affected systems running PHP. In and apply vendor patches when convenient. Vendor patch is available.

Espocrm CVE-2025-52892

MEDIUM

HTTP Request/Response Smuggling (CWE-444)

2025-08-05 security-advisories@github.com

Information Disclosure Request Smuggling Espocrm

4.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:05 vuln.today

Patch released

Mar 28, 2026 - 19:05 nvd

Patch available

PoC Detected

Sep 11, 2025 - 17:14 vuln.today

Public exploit code

CVE Published

Aug 05, 2025 - 01:15 nvd

MEDIUM 4.5

DescriptionNVD

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7.

AnalysisAI

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7. Affected products include: Espocrm. Version information: version 9.1.7..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.

CVE-2025-52892 vulnerability details – vuln.today

Back