Skip to main content

CVE-2025-53007

| EUVDEUVD-2025-19198 HIGH
HTTP Response Splitting (CWE-113)
2025-06-26 security-advisories@github.com
8.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:36 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.2.1,3.3.0-RC1
EUVD ID Assigned
Mar 15, 2026 - 23:54 euvd
EUVD-2025-19198
Analysis Generated
Mar 15, 2026 - 23:54 vuln.today
CVE Published
Jun 26, 2025 - 15:15 nvd
HIGH 8.9

DescriptionGitHub Advisory

arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The sendHeader function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and appends this to the outgoing HTTP response headers. There is no validation or sanitization of the name or value parameters before they are included in the HTTP response. If an attacker can control the input to sendHeader (either directly or indirectly), they could inject carriage return (\r) or line feed (\n) characters into either the header name or value. This could allow the attacker to inject additional headers, manipulate the structure of the HTTP response, potentially inject an entire new HTTP response (HTTP Response Splitting), and/or ause header confusion or other HTTP protocol attacks. Versions 3.3.0-RC1 and 3.2.1 contain a fix for the issue.

AnalysisAI

CVE-2025-53007 is a security vulnerability (CVSS 8.9). High severity vulnerability requiring prompt remediation.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 8.9 indicates high severity.

RemediationAI

Monitor vendor channels for patch availability.

Share

CVE-2025-53007 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy