QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-53094

Back to search

CVE-2025-53094

Published: Jun 27, 2025

Modified: Jun 27, 2025

PUBLISHED

Description

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`\r`) or LF (`\n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

VendorProductVersions

ESP32Async

ESPAsyncWebServer

affected
<= 3.7.8

Weaknesses (CWE)

CWE-93
CWE-113

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now