CRLF Injection Vulnerability in ESPAsyncWebServer by ESP32Async
CVE-2025-53094

8.7HIGH

Key Information:

Vendor

Esp32async

Status
Espasyncwebserver
Vendor
CVE Published:
27 June 2025

What is CVE-2025-53094?

The ESPAsyncWebServer library, which serves HTTP and WebSocket applications on microcontrollers like ESP32 and ESP8266, is susceptible to a CRLF injection flaw due to improper handling of HTTP headers. This vulnerability arises from the incorporation of unsanitized input within the header construction process, allowing attackers to inadvertently introduce CR ( ) or LF ( ) characters. Such injections could lead to arbitrary manipulation of HTTP headers and responses, facilitating various attacks. A resolution for this issue is available via a pull request and is set to be included in the upcoming release.

Affected Version(s)

ESPAsyncWebServer <= 3.7.8

References

https://github.com/ESP32Async/ESPAsyncWebServer/security/...
x_refsource_CONFIRM
https://github.com/ESP32Async/ESPAsyncWebServer/pull/211
x_refsource_MISC
https://github.com/ESP32Async/ESPAsyncWebServer/blob/1095...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.