CVE-2025-53094

Vulnerability Description

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`\r`) or LF (`\n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

Related Weaknesses (CWE)

References

• https://github.com/ESP32Async/ESPAsyncWebServer/blob/1095dfd1ecf1a903aede2985423
• https://github.com/ESP32Async/ESPAsyncWebServer/pull/211
• https://github.com/ESP32Async/ESPAsyncWebServer/security/advisories/GHSA-87j8-6f

FAQ

What is CVE-2025-53094?

CVE-2025-53094 is a documented vulnerability. ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulner...

How severe is CVE-2025-53094?

CVSS scoring is not yet available for CVE-2025-53094. Check NVD for updates.

Is there a patch for CVE-2025-53094?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.