DECE Software Geodi CVE-2025-6175
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in DECE Software Geodi allows HTTP Request Splitting.
This issue affects Geodi: before GEODI Setup 9.0.146.
AnalysisAI
HTTP Request Splitting in DECE Software Geodi before GEODI Setup 9.0.146 allows remote unauthenticated attackers to inject CRLF sequences into HTTP requests, enabling cache poisoning, response splitting, and cross-site scripting against downstream consumers. The flaw is network-reachable with low attack complexity and no authentication, and Turkey's national CERT (USOM) issued advisory TR-25-0182 covering the issue. No public exploit identified at time of analysis and EPSS probability is low at 0.22% (45th percentile).
Technical ContextAI
Geodi is an enterprise search and data discovery platform developed by DECE Software (Turkey) that indexes file shares, databases, and email archives via an HTTP-based web interface. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences): user-controlled input is reflected into HTTP request or response headers without filtering carriage-return/line-feed (\r\n) bytes, which terminate header lines in the HTTP/1.x protocol grammar. An attacker who can splice raw CRLF pairs into a header value can break out of the intended header context and inject new headers or an entire second response, a class of attack known as HTTP request/response splitting and a common precursor to web cache poisoning and reflected XSS. CPE data was not provided in the input, so the exact product component (web frontend, API, or admin console) where the sink resides is not identified by NVD enumeration.
Affected ProductsAI
DECE Software Geodi at all versions prior to GEODI Setup 9.0.146 is affected; the fixed release is 9.0.146 or later. No CPE 2.3 string was supplied in the input and no vendor URL is included in the references, so component-level scoping (e.g., specific service or module) is not enumerated. The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0182 and the mirrored Turkish cyber-authority bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0182 are the authoritative public references.
RemediationAI
Vendor-released patch: GEODI Setup 9.0.146 - upgrade all Geodi installations to 9.0.146 or later as the primary remediation, following the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0182. Where immediate patching is not feasible, place the Geodi HTTP interface behind a reverse proxy or WAF configured to reject requests whose header values contain raw CR (0x0D) or LF (0x0A) bytes or their percent-encoded equivalents (%0d, %0a), which neutralizes the splitting primitive at the network edge with the trade-off of potentially breaking legitimate clients that send unusual but valid header content. Restrict the Geodi web endpoint to authenticated VPN or trusted management networks to remove the unauthenticated network attack vector at the cost of reducing remote usability. Disable or bypass any shared HTTP caches (CDN, forward proxy) sitting in front of Geodi until patched, since cache poisoning is the highest-impact downstream consequence of CRLF injection; the trade-off is reduced performance for cached responses.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today