CVE-2025-53007 Overview
CVE-2025-53007 is an HTTP Response Splitting vulnerability [CWE-113] in the arduino-esp32 WebServer library, which provides an Arduino core for the ESP32 microcontroller. The flaw exists in the sendHeader function, which accepts arbitrary input for HTTP header names and values without sanitizing carriage return (\r) or line feed (\n) characters. Attackers who control input passed to sendHeader can inject additional headers, manipulate response structure, or inject entirely new HTTP responses. Versions prior to 3.3.0-RC1 and 3.2.1 are affected.
Critical Impact
Remote attackers can inject CRLF sequences into HTTP response headers, enabling response splitting, cache poisoning, cross-site scripting, and session fixation against ESP32-based web services.
Affected Products
- arduino-esp32 WebServer library versions prior to 3.2.1
- arduino-esp32 WebServer library versions prior to 3.3.0-RC1
- ESP32 firmware projects embedding the vulnerable WebServer.cpp
Discovery Timeline
- 2025-06-26 - CVE-2025-53007 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53007
Vulnerability Analysis
The arduino-esp32 WebServer library exposes WebServer::sendHeader(const String &name, const String &value, bool first) to application developers building HTTP services on ESP32 hardware. The function concatenates the supplied name and value arguments directly into an HTTP header line and appends them to the outgoing response. No validation rejects CRLF characters embedded in either parameter.
When application code passes attacker-controlled data, such as a query string parameter or form field, into sendHeader, an attacker can inject \r\n sequences. The injected bytes terminate the current header and introduce new headers or an entirely new HTTP response body. Downstream consequences include reflected cross-site scripting, HTTP cache poisoning of intermediate proxies, session fixation through forged Set-Cookie headers, and request smuggling against caching layers.
Root Cause
The root cause is missing input sanitization in the WebServer header-emission path. The function builds header lines through unchecked string concatenation, violating the CWE-113 control: improper neutralization of CRLF sequences in HTTP headers. Because ESP32 devices commonly serve management interfaces, IoT telemetry endpoints, and configuration portals, the vulnerable function is frequently reached from untrusted network input.
Attack Vector
Exploitation requires only network access to the ESP32 web service. The attacker submits an HTTP request containing CRLF-encoded bytes in a parameter that the firmware reflects into a response header through sendHeader. The web server emits the malformed header line verbatim, and the receiving HTTP client or intermediate cache parses the injected response as legitimate. No authentication or user interaction is required.
// Security patch in libraries/WebServer/src/WebServer.cpp
// fix(webserver): Validate header inputs
void WebServer::sendHeader(const String &name, const String &value, bool first) {
if (name.indexOf('\r') != -1 || name.indexOf('\n') != -1) {
log_e("Invalid character in HTTP header name");
return;
}
if (value.indexOf('\r') != -1 || value.indexOf('\n') != -1) {
log_e("Invalid character in HTTP header value");
return;
}
RequestArgument *header = new RequestArgument();
header->key = name;
header->value = value;
Source: GitHub Commit 21640ac
The patch rejects header names or values containing \r or \n, logs the violation, and returns without queueing the header.
Detection Methods for CVE-2025-53007
Indicators of Compromise
- HTTP request logs containing URL-encoded CRLF sequences (%0d%0a, %0D%0A) in query strings, form fields, or header values targeting ESP32 endpoints.
- Outbound HTTP responses from ESP32 devices containing duplicate Content-Length, Content-Type, or Set-Cookie headers.
- Unexpected HTTP/1.1 200 OK status lines appearing mid-response in captured traffic from embedded devices.
Detection Strategies
- Inspect WebServer source code in firmware projects for direct calls to sendHeader that pass user-controlled String arguments.
- Deploy network IDS signatures matching CRLF byte patterns in HTTP request parameters destined for IoT subnets.
- Compare deployed arduino-esp32 core versions against 3.2.1 and 3.3.0-RC1 using firmware build manifests.
Monitoring Recommendations
- Forward HTTP access logs from upstream reverse proxies fronting ESP32 services into a centralized analytics platform for CRLF detection.
- Alert on anomalous response sizes or header counts from embedded HTTP endpoints.
- Monitor GitHub dependency manifests and PlatformIO lockfiles for unpatched arduino-esp32 versions.
How to Mitigate CVE-2025-53007
Immediate Actions Required
- Upgrade the arduino-esp32 core to 3.2.1, 3.3.0-RC1, or later, then recompile and reflash all ESP32 devices that expose HTTP services.
- Audit firmware code for every call site that passes external input into WebServer::sendHeader and add explicit CRLF rejection until devices are reflashed.
- Restrict network reachability to ESP32 management interfaces using firewall rules or VLAN segmentation.
Patch Information
Espressif released the fix in commit 21640ac82a1bb5efa8cf0b3841be1ac80add6785, included in arduino-esp32 versions 3.2.1 and 3.3.0-RC1. The patch validates that header names and values do not contain \r or \n characters and aborts header insertion when violations are detected. Full details are available in the GitHub Security Advisory GHSA-5476-9jjq-563m.
Workarounds
- Wrap calls to sendHeader with a helper that strips or rejects \r and \n from both arguments before invocation.
- Place a reverse proxy such as nginx or HAProxy in front of ESP32 devices to normalize HTTP responses and drop malformed headers.
- Disable any application endpoints that reflect untrusted input into HTTP response headers until the firmware is patched.
# Verify arduino-esp32 core version in a PlatformIO project
pio pkg list -e esp32dev | grep arduino-esp32
# Update to patched version in platformio.ini
# platform_packages = framework-arduinoespressif32 @ ^3.2.1
pio pkg update -e esp32dev
pio run -t clean && pio run
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
