CVE-2025-53094 Overview
CVE-2025-53094 is a CRLF (Carriage Return Line Feed) injection vulnerability in ESPAsyncWebServer, an asynchronous HTTP and WebSocket server library used on ESP32, ESP8266, RP2040, and RP2350 microcontrollers. The flaw affects all versions up to and including 3.7.8. Unsanitized input passed into HTTP header names or values inside AsyncWebHeader.cpp allows attackers to inject \r and \n characters. This injection enables arbitrary HTTP header manipulation and response splitting. The vulnerability is tracked under [CWE-93] (Improper Neutralization of CRLF Sequences). A fix is available in pull request 211 and is expected in version 3.7.9.
Critical Impact
Network-reachable attackers can inject arbitrary HTTP headers, enabling response splitting, cache poisoning, and session manipulation against IoT devices running affected firmware.
Affected Products
- ESPAsyncWebServer library versions ≤ 3.7.8
- Firmware targeting ESP32 and ESP8266 microcontrollers using the library
- Firmware targeting RP2040 and RP2350 microcontrollers using the library
Discovery Timeline
- 2025-06-27 - CVE-2025-53094 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53094
Vulnerability Analysis
The vulnerability resides in the HTTP header construction logic of AsyncWebHeader.cpp. The library accepts header names and values without filtering for control characters such as \r (CR, 0x0D) and \n (LF, 0x0A). HTTP uses the CRLF sequence as a structural delimiter between headers and between the header block and response body. When an attacker injects raw CR or LF bytes into attacker-controlled header inputs, the parser on the receiving end interprets those bytes as new header boundaries.
This allows attackers to terminate the current header prematurely, append arbitrary additional headers, or close the header section entirely and inject a synthetic response body. The injection point exists in a library that frequently runs on internet-exposed IoT devices, including home automation hubs, industrial sensors, and consumer ESP32 projects. The EPSS score is 0.331% with a 55.99 percentile.
Root Cause
The root cause is missing input neutralization for CRLF byte sequences in header field construction. The header serialization code in AsyncWebHeader.cpp concatenates user-influenced strings directly into the wire-format HTTP response without validating that the inputs contain only permitted header characters defined in RFC 7230. The flaw maps to [CWE-93].
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP requests containing CRLF sequences in fields that the application later reflects into response headers, such as cookies, redirect targets, or custom header echoes. The injected bytes split the response, allowing the attacker to forge headers like Set-Cookie, Location, or Content-Type. Successful exploitation enables HTTP response splitting, web cache poisoning of intermediate proxies, cross-site scripting via injected body content, and session fixation. Technical details of the vulnerable function are documented in the GitHub code snippet.
Detection Methods for CVE-2025-53094
Indicators of Compromise
- Inbound HTTP requests containing URL-encoded %0d, %0a, %0D%0A, or raw CR/LF bytes in query parameters, cookies, or header values
- HTTP responses from ESP-based devices containing unexpected duplicate headers such as multiple Set-Cookie or Location lines
- Anomalous Content-Length mismatches between proxy logs and device responses
Detection Strategies
- Inventory firmware images and PlatformIO/Arduino dependencies for ESPAsyncWebServer versions at or below 3.7.8
- Inspect web application firewall (WAF) and reverse proxy logs for CRLF byte patterns in request fields that flow into headers
- Apply WAF signatures that block requests containing raw or encoded CRLF sequences in non-body parameters
Monitoring Recommendations
- Forward HTTP access logs from devices and upstream proxies to a centralized analytics platform for CRLF pattern matching
- Monitor for unusual outbound redirects or cookie-setting behavior originating from IoT device endpoints
- Alert on responses where the same header name appears multiple times unexpectedly
How to Mitigate CVE-2025-53094
Immediate Actions Required
- Identify all firmware builds and projects depending on ESPAsyncWebServer ≤ 3.7.8 and schedule rebuilds against the patched release
- Restrict network exposure of ESP-based HTTP services to trusted management networks or VPN segments
- Deploy WAF or reverse proxy rules that strip CR and LF bytes from request headers, cookies, and query parameters before they reach the device
Patch Information
The maintainers merged a fix in pull request 211, which adds input neutralization for CR and LF bytes in AsyncWebHeader.cpp. The fix is expected to ship in version 3.7.9. Refer to the GitHub Security Advisory GHSA-87j8-6f7g-h8wh for advisory details. Rebuild firmware against version 3.7.9 or later and redeploy to all affected devices.
Workarounds
- Sanitize all application-level inputs by rejecting or stripping \r and \n characters before passing them to header-setting APIs
- Place affected devices behind a hardened reverse proxy that normalizes HTTP traffic and drops malformed headers
- Disable any device endpoints that reflect user-controlled values into response headers until firmware is updated
# Example WAF rule (ModSecurity) blocking CRLF injection in headers and query strings
SecRule ARGS|REQUEST_HEADERS|REQUEST_COOKIES "@rx (?:\r|\n|%0[ad]|%0D%0A)" \
"id:1005309,phase:2,deny,status:400,log,msg:'CRLF injection attempt - CVE-2025-53094'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
