CNNVD-202506-3596 Information
CNNVD ID
CNNVD-202506-3596
Related CVE
- CNNVD Published: 2025-06-27
Description (Chinese)
ESPAsyncWebServer是ESP32 Asynchronous Networking社区的一个用于ESP8266和ESP32等微控制器的异步Web服务器。 ESPAsyncWebServer 3.7.8及之前版本存在注入漏洞,该漏洞源于AsyncWebHeader.cpp中HTTP标头构造和输出存在CRLF注入,可能导致任意标头或响应操纵。
Description (English)
ESPAsyncWebServer is a step-by-step Web server for microcontrollers such as ESP8266 and ESP32 in the community of ESP32 Asynchronous Networking. The ESPAsyncWebServer 3.7.8 and earlier versions have an injection loophole which originates from the CRLF injection of HTTP header construction and output in AsyncWebHeader.cpp, which may lead to arbitrary header or response manipulation.
Hazard Level
High
Vulnerability Type
注入
Affected Vendor
ESP32 Asynchronous Networking
Published
2025-06-27
Last Modified
2026-02-24
References
https://github.com/ESP32Async/ESPAsyncWebServer/blob/1095dfd1ecf1a903aede29854232af1b24f089b1/src/AsyncWebHeader.cpp#L6-L32 https://github.com/ESP32Async/ESPAsyncWebServer/pull/211 https://github.com/ESP32Async/ESPAsyncWebServer/security/advisories/GHSA-87j8-6f7g-h8wh https://access.redhat.com/security/cve/cve-2025-53094
Patch
https://github.com/me-no-dev/ESPAsyncWebServer
Share on: