SecuriTricks - CVE-2025-52892

Description

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7.

Product(s) Impacted

Vendor	Product	Versions
Esposoft	Espocrm	<9.1.7, 9.1.7

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	esposoft	espocrm	<9.1.7	/	/	/	/	/	/
a	esposoft	espocrm	9.1.7	/	/	/	/	/	/

References

https://github.com/espocrm/espocrm/commit/929611f317ce8892ea75873b0ab3094c0c510ff3

https://github.com/espocrm/espocrm/security/advisories/GHSA-26x2-6wch-j8pf

CVSS Score

4.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: Aug. 5, 2025, 1:15 a.m.
Last Modified: Aug. 5, 2025, 2:34 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-52892