CVE-2025-53094 ESPAsyncWebServer Vulnerable to CRLF Injection in AsyncWebHeader.cpp

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF Carriage Return Line Feed injection vulnerability exists in the construction and output of HTTP headers within AsyncWebHeader.cpp. Unsanitize...

PT-2025-27254 · Unknown · Espasyncwebserver

Name of the Vulnerable Software and Affected Versions: ESPAsyncWebServer versions up to and including 3.7.8 Description: A CRLF injection vulnerability exists in the construction and output of HTTP headers within AsyncWebHeader.cpp. Unsanitized input allows attackers to inject CR r or LF characte...

Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling

Ruby WEBrick readheader HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS via the process handling HTTP header fields. An attacker can cause excessive memory consumption and potentially crash or render the server unresponsive by sending a large number of HTTP headers. Details Denial of...

CVE-2025-52887 cpp-httplib has unlimited number of http header fields, which causes memory leak

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected...

CVE-2025-52887 cpp-httplib has unlimited number of http header fields, which causes memory leak

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected...

PT-2025-26976

Name of the Vulnerable Software and Affected Versions: cpp-httplib version 0.21.0 Description: The issue arises when multiple HTTP header fields are passed to the library, causing it to fail to limit the number of headers. As a result, the memory associated with these headers is not released when...

CVE-2025-49593

CVE-2025-49593 affects Portainer Community Edition prior to STS 2.31.0 and LTS 2.27.7. When an administrator is convinced to register a malicious container registry (or an existing registry is taken over), HTTP Headers including registry credentials and Portainer session tokens may be leaked to t...

CVE-2025-49593 Portainer HTTP Headers May Leak to Malicious Container Registries

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a maliciou...

USN-7568-1: Requests vulnerabilities

Dennis Brinkrolf and Tobias Funke discovered that Requests did not correctly handle certain HTTP headers. A remote attacker could possibly use this issue to leak sensitive information. This issue only affected Ubuntu 14.04 LTS. CVE-2023-32681 Juho Forsén discovered that Requests did not correctly...

OESA-2025-1632 libsoup security update

libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop, to integrate well with GNOME applications, and also has a synchronous API, for use in threaded applications. Security Fixes: A denial-of-service vulnerability has been identified in the libsoup HTTP clien...

CVE-2025-48865 Fabio allows HTTP clients to manipulate custom headers it adds

Fabio is an HTTPS and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers except X-Forwarded-For due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and...

Security update for go1.23-openssl

This update for go1.23-openssl fixes the following issues: Update to version 1.23.9 bsc1229122: Security fixes: CVE-2024-45336: net/http: sensitive headers incorrectly sent after cross-domain redirect bsc1236046 CVE-2024-45341: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints...

RHEL 9 : php (RHSA-2025:7431)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:7431 advisory. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fixes: php: Header parser of http stream...

CVE-2024-45687

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in Payara Platform Payara Server Grizzly, REST Management Interface modules, Payara Platform Payara Micro Grizzly modules allows Manipulating State, Identity Spoofing.This issue affects Payar...

CVE-2024-51501

Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes Header, HeaderCollection and Authorize are vulnerable to CRLF injection. The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method. This...

CVE-2023-41897

Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks...

CVE-2023-1208

This HTTP Headers WordPress plugin before 1.18.11 allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability...

CVE-2022-2362

The Download Manager WordPress plugin before 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based download blocking restrictions...

CVE-2022-1762

The iQ Block Country WordPress plugin before 1.2.20 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers...