CVE-2025-53094 – ESPAsyncWebServer CRLF Injection Vulnerability

CVE ID : CVE-2025-53094

Published : June 27, 2025, 8:15 p.m. | 1 hour, 43 minutes ago

Description : ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`r`) or LF (`n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…