Skip to main content

ESPAsyncWebServer CVE-2025-53094

| EUVDEUVD-2025-19427 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2025-06-27 security-advisories@github.com
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 00:16 euvd
EUVD-2025-19427
Analysis Generated
Mar 16, 2026 - 00:16 vuln.today
CVE Published
Jun 27, 2025 - 20:15 nvd
HIGH 8.7

DescriptionGitHub Advisory

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within AsyncWebHeader.cpp. Unsanitized input allows attackers to inject CR (\r) or LF (\n) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

AnalysisAI

A security vulnerability in versions (CVSS 8.7) that allows attackers. High severity vulnerability requiring prompt remediation.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 8.7 indicates high severity. Affects versions.

RemediationAI

Monitor vendor channels for patch availability.

Share

CVE-2025-53094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy