CVE-2025-52892
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espocrm | espocrm | to 9.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52892 is a vulnerability in EspoCRM versions 9.1.6 and below where loading the application URL with double slashes (e.g., https://domain//#Admin) without the webserver stripping them causes corruption of the Slim router's cache. This corruption leads to a denial of service, making the EspoCRM instance unusable until the cache is rebuilt. The issue is fixed in version 9.1.7 by adding validation to reject such malformed URLs with an HTTP 400 error. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by corrupting the Slim router's cache when a URL with double slashes is loaded, rendering the EspoCRM instance unusable until the cache is rebuilt. It affects availability but does not impact confidentiality or integrity. An attacker or user with high privileges can trigger this by loading a specially crafted URL, causing service disruption. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if requests to the EspoCRM instance contain URLs with double slashes (e.g., URLs starting with // or containing //#Admin). You can monitor your webserver logs for such malformed requests. For example, using grep on Apache or Nginx access logs: `grep '//\|//#' /var/log/apache2/access.log` or `grep '//\|//#' /var/log/nginx/access.log`. Additionally, you can test by manually sending a request with a double slash in the URL and observing if the application becomes unusable or returns an HTTP 400 Bad Request error (if patched). [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading EspoCRM to version 9.1.7 or later, where the issue is fixed. If upgrading is not immediately possible, configure your webserver to forbid or rewrite URLs containing double slashes to prevent malformed requests from reaching the application. This can be done by adding rules to reject or redirect URLs with double slashes. The patch also introduces validation that rejects such requests with an HTTP 400 error, so applying the patch or upgrade is recommended. [1, 2]