High-Severity CRLF Injection Vulnerability in ESPAsyncWebServer Library 
CVE-2025-53094 is a high-severity vulnerability (CVSS 8.7) affecting the ESPAsyncWebServer library, which is widely used for asynchronous HTTP and WebSocket servers on embedded platforms such as ESP32, ESP8266, RP2040, and RP2350. The issue exists in versions up to and including 3.7.8 and involves a CRLF (Carriage Return Line Feed) injection vulnerability in the construction and output of HTTP headers within the source file AsyncWebHeader.cpp.
Nature of the Vulnerability
The vulnerability arises because the library does not properly sanitize input when constructing HTTP headers. This allows an attacker to inject CR (\r) or LF (\n) characters directly into header names or values. Such injection enables the attacker to manipulate HTTP headers or entire HTTP responses arbitrarily. This can lead to a variety of attacks including:
- HTTP Response Splitting: By injecting CRLF sequences, an attacker can create additional HTTP headers or responses, potentially splitting a single HTTP response into multiple responses. This can be exploited to perform cache poisoning, cross-site scripting (XSS), or other attacks.
- Cookie Manipulation: Injected headers can set or modify cookies, enabling session hijacking or fixation.
- Cache Poisoning: Malicious responses can be cached by intermediaries or browsers, leading to persistent delivery of harmful content.
- Other Header Manipulations: Arbitrary headers can be inserted or altered, affecting security policies, redirects, or content types.
Example Scenario
Suppose a web server using ESPAsyncWebServer accepts user input that is reflected in an HTTP header without validation. An attacker might submit a header value containing CRLF characters such as:
text
InjectedHeaderValue = "validvalue\r\nSet-Cookie: sessionid=malicious"
When the server constructs the HTTP response headers, this input causes the server to send an additional Set-Cookie header with an attacker-controlled session ID, potentially hijacking user sessions.
Alternatively, the attacker could inject a complete fake HTTP response after the CRLF sequence, causing the client to interpret the response differently, which can be exploited for XSS or other attacks.
Mitigation and Fix
The vulnerability has been addressed in a pull request (#211) and is expected to be included in version 3.7.9 of ESPAsyncWebServer. The fix involves sanitizing input to strip or encode CR and LF characters before including them in HTTP headers, preventing injection.
Best Practices to Prevent CRLF Injection
- Input Validation: Strictly validate and sanitize all user-supplied data that may be included in HTTP headers, ensuring no CR or LF characters are allowed.
- Output Encoding: Encode or escape special characters in header values to prevent them from being interpreted as control characters.
- Use Updated Libraries: Always update to the latest patched versions of libraries to incorporate security fixes.
- Secure Coding: Avoid directly reflecting user input in HTTP headers without proper checks.
Additional Context on CRLF Injection
CRLF injection is a well-known web security flaw where attackers insert unexpected CRLF sequences into HTTP headers to manipulate responses. This can lead to HTTP response splitting, cache poisoning, and session fixation attacks. Various tools exist to detect and exploit CRLF injection, such as crlfmap and crlfuzz.
Summary
- Vulnerability: CRLF injection in ESPAsyncWebServer ≤ 3.7.8 via unsanitized input in HTTP headers.
- Impact: Arbitrary HTTP header/response manipulation enabling session hijacking, cache poisoning, XSS, and other attacks.
- Severity: High (CVSS 8.7).
- Fix: Available in PR #211; included in version 3.7.9.
- Mitigation: Input validation, output encoding, and upgrading to fixed versions.
This vulnerability highlights the critical importance of sanitizing all user input used in HTTP headers to prevent injection attacks that can compromise web server behavior and user security.