CVE-2025-59151

Exploit

EPSS 0.4%
Veröffentlicht 27.10.2025 19:42:59
Zuletzt bearbeitet 18.12.2025 16:21:39
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pi-hole ≫ Web Interface Version < 6.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.315

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-59151

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59151

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59151

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-59151