Web Application Vulnerability in EspoCRM by EspoCRM
CVE-2025-52892

4.5MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 5 August 2025

What is CVE-2025-52892?

EspoCRM is a versatile web application featuring a single-page application frontend and a REST API backend built in PHP. In versions prior to 9.1.7, a potential vulnerability arises when users access EspoCRM with a URL that contains double slashes (e.g., https://domain//#Admin). If the webserver fails to strip these double slashes, it can lead to a corrupted cache in the Slim router, rendering the application unusable until a full rebuild is performed. This issue highlights the importance of proper URL handling in web applications.

Affected Version(s)

espocrm < 9.1.7

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/espocrm/espocrm/commit/929611f317ce889...

x_refsource_MISC

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 5, 2025

Espocrm

What is CVE-2025-52892?

Affected Version(s)

References

CVSS V3.1

Timeline