Skip to main content

DECE Software Geodi CVE-2025-6175

HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2025-07-29 iletisim@usom.gov.tr
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:33 vuln.today

DescriptionCVE.org

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in DECE Software Geodi allows HTTP Request Splitting.

This issue affects Geodi: before GEODI Setup 9.0.146.

AnalysisAI

HTTP Request Splitting in DECE Software Geodi before GEODI Setup 9.0.146 allows remote unauthenticated attackers to inject CRLF sequences into HTTP requests, enabling cache poisoning, response splitting, and cross-site scripting against downstream consumers. The flaw is network-reachable with low attack complexity and no authentication, and Turkey's national CERT (USOM) issued advisory TR-25-0182 covering the issue. No public exploit identified at time of analysis and EPSS probability is low at 0.22% (45th percentile).

Technical ContextAI

Geodi is an enterprise search and data discovery platform developed by DECE Software (Turkey) that indexes file shares, databases, and email archives via an HTTP-based web interface. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences): user-controlled input is reflected into HTTP request or response headers without filtering carriage-return/line-feed (\r\n) bytes, which terminate header lines in the HTTP/1.x protocol grammar. An attacker who can splice raw CRLF pairs into a header value can break out of the intended header context and inject new headers or an entire second response, a class of attack known as HTTP request/response splitting and a common precursor to web cache poisoning and reflected XSS. CPE data was not provided in the input, so the exact product component (web frontend, API, or admin console) where the sink resides is not identified by NVD enumeration.

Affected ProductsAI

DECE Software Geodi at all versions prior to GEODI Setup 9.0.146 is affected; the fixed release is 9.0.146 or later. No CPE 2.3 string was supplied in the input and no vendor URL is included in the references, so component-level scoping (e.g., specific service or module) is not enumerated. The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0182 and the mirrored Turkish cyber-authority bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0182 are the authoritative public references.

RemediationAI

Vendor-released patch: GEODI Setup 9.0.146 - upgrade all Geodi installations to 9.0.146 or later as the primary remediation, following the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0182. Where immediate patching is not feasible, place the Geodi HTTP interface behind a reverse proxy or WAF configured to reject requests whose header values contain raw CR (0x0D) or LF (0x0A) bytes or their percent-encoded equivalents (%0d, %0a), which neutralizes the splitting primitive at the network edge with the trade-off of potentially breaking legitimate clients that send unusual but valid header content. Restrict the Geodi web endpoint to authenticated VPN or trusted management networks to remove the unauthenticated network attack vector at the cost of reducing remote usability. Disable or bypass any shared HTTP caches (CDN, forward proxy) sitting in front of Geodi until patched, since cache poisoning is the highest-impact downstream consequence of CRLF injection; the trade-off is reduced performance for cached responses.

Share

CVE-2025-6175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy