HTTP Response Splitting Vulnerability in Arduino ESP32 by Espressif
CVE-2025-53007

8.9HIGH

Key Information:

Vendor

Espressif

Status
Arduino-esp32
Vendor
CVE Published:
26 June 2025

What is CVE-2025-53007?

The Arduino ESP32 core prior to version 3.3.0-RC1 and 3.2.1 suffers from a critical HTTP Response Splitting vulnerability. This flaw occurs because the sendHeader function allows arbitrary user input as HTTP header names and values without proper validation or sanitization. An attacker capable of manipulating the inputs can insert carriage return or line feed characters, leading to the possibility of injecting extra headers or even creating a separate, malicious HTTP response. This vulnerability can significantly compromise the integrity of the web server and expose it to various protocols and header manipulation attacks.

Affected Version(s)

arduino-esp32 < 3.2.1 < 3.2.1

arduino-esp32 >= 3.3.0-alpha1, < 3.3.0-RC1 < 3.3.0-alpha1, 3.3.0-RC1

References

https://github.com/espressif/arduino-esp32/security/advis...
x_refsource_CONFIRM
https://github.com/espressif/arduino-esp32/commit/21640ac...
x_refsource_MISC
https://github.com/espressif/arduino-esp32/blob/9e61fa7e4...
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53007 : HTTP Response Splitting Vulnerability in Arduino ESP32 by Espressif