CVE-2025-59151 Overview
CVE-2025-59151 is a Carriage Return Line Feed (CRLF) injection vulnerability in the Pi-hole Admin Interface, the web management console for the Pi-hole network-level ad and tracker blocking application. The flaw affects all versions of the Pi-hole Web Interface prior to 6.3. When the application processes requests for files ending with the .lp extension, it performs HTTP redirects without sanitizing user-supplied input. Attackers can inject %0d%0a sequences to manipulate response headers and body content. The vulnerability is tracked under CWE-93: Improper Neutralization of CRLF Sequences and is fixed in version 6.3.
Critical Impact
Remote unauthenticated attackers can inject arbitrary HTTP response headers, enabling session fixation, cache poisoning, and bypass of browser security controls such as Content Security Policy and X-XSS-Protection.
Affected Products
- Pi-hole Web Interface versions prior to 6.3
- Pi-hole deployments exposing the admin interface to untrusted networks
- Self-hosted Pi-hole instances accessible via network or internet-facing reverse proxies
Discovery Timeline
- 2025-10-27 - CVE-2025-59151 published to the National Vulnerability Database
- 2025-12-18 - Last updated in NVD database
Technical Details for CVE-2025-59151
Vulnerability Analysis
The Pi-hole Admin Interface handles dynamic content through Lua pages identified by the .lp file extension. When a client requests one of these endpoints, the application generates a redirect response using attacker-controllable input. The redirect logic does not strip or encode carriage return (\r, %0d) and line feed (\n, %0a) characters before placing the value into the Location header. Injected CRLF sequences terminate the header early and allow attackers to append additional headers or an entirely new response body.
This primitive enables several follow-on attacks. Attackers can set a Set-Cookie header to perform session fixation against authenticated administrators. They can inject cache-control directives to poison intermediate caches with malicious content. They can also overwrite headers such as Content-Security-Policy and X-XSS-Protection to disable browser defenses against subsequent cross-site scripting attempts.
Root Cause
The root cause is missing input neutralization in the redirect handler for .lp resources [CWE-93]. The application concatenates request-derived strings into outbound HTTP headers without filtering control characters that delimit header boundaries. Any byte sequence containing 0x0D 0x0A is treated by HTTP clients as the end of one header and the start of another.
Attack Vector
Exploitation requires only network access to the Pi-hole admin interface and no authentication. An attacker crafts a URL targeting a .lp endpoint with URL-encoded CRLF characters in a parameter that flows into the redirect. The victim must visit the crafted link or have it loaded by a page they view. The server returns a manipulated response that the browser parses as multiple headers, completing the attack.
No public proof-of-concept code has been released for CVE-2025-59151. Technical details are described in the Pi-hole GitHub Security Advisory GHSA-5v79-p56f-x7c4.
Detection Methods for CVE-2025-59151
Indicators of Compromise
- HTTP requests to the Pi-hole admin interface targeting URLs with .lp extensions containing %0d, %0a, %0D, or %0A byte sequences
- Web server access logs showing unusual query parameters with encoded newline characters directed at the admin host
- Unexpected Set-Cookie, Content-Security-Policy, or Location header values in responses from .lp endpoints
- Browser console reports of CSP violations originating from the Pi-hole admin domain
Detection Strategies
- Inspect web proxy and Pi-hole lighttpd access logs for requests containing CRLF-encoded patterns in query strings or path segments
- Deploy web application firewall rules that block requests containing %0d%0a, \r\n, or raw control bytes in URLs targeting the admin interface
- Compare installed Pi-hole Web Interface version against 6.3 across managed hosts to identify unpatched instances
Monitoring Recommendations
- Forward Pi-hole host logs to a centralized SIEM and alert on requests to .lp paths containing URL-encoded control characters
- Monitor administrator session cookies for unexpected values or rotation patterns that suggest fixation attempts
- Track outbound responses from the admin interface for anomalous header counts or duplicated Location headers
How to Mitigate CVE-2025-59151
Immediate Actions Required
- Upgrade the Pi-hole Web Interface to version 6.3 or later on every affected host
- Restrict access to the Pi-hole admin interface to trusted management networks using firewall rules or reverse proxy authentication
- Rotate administrator session cookies and credentials after patching to invalidate any fixated sessions
- Review web server logs for prior exploitation attempts containing CRLF byte sequences
Patch Information
The vulnerability is fixed in Pi-hole Web Interface version 6.3. Administrators should apply the update using the standard pihole -up command or their package manager. Patch details and the official remediation are documented in the Pi-hole GitHub Security Advisory GHSA-5v79-p56f-x7c4.
Workarounds
- Place the Pi-hole admin interface behind a reverse proxy that strips or rejects control characters in request URIs
- Configure a web application firewall to block requests containing %0d, %0a, or raw \r\n bytes destined for .lp endpoints
- Limit admin interface exposure to localhost or VPN-only access until patching is complete
# Update Pi-hole to a patched release
sudo pihole -up
# Verify the Web Interface version is 6.3 or later
pihole -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
