CVE-2025-59151
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-59151, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-27

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-27
Last Modified
2025-12-18
Generated
2026-07-06
AI Q&A
2025-10-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pi-hole web_interface to 6.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Carriage Return Line Feed (CRLF) injection in the Pi-hole Admin Interface before version 6.3. When a request is made to a file ending with the .lp extension, the application redirects without properly sanitizing input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate HTTP response headers and content, allowing injection of arbitrary HTTP headers. This can lead to session fixation, cache poisoning, and bypassing browser security mechanisms like Content Security Policy or X-XSS-Protection.

Impact Analysis

This vulnerability can impact you by allowing attackers to manipulate HTTP response headers, which can result in session fixation (taking over user sessions), cache poisoning (serving malicious content), and weakening or bypassing browser security features. These impacts can compromise the security and integrity of your network-level advertisement and tracker blocking managed by Pi-hole.

Mitigation Strategies

Upgrade the Pi-hole Admin Interface to version 6.3 or later, as this version contains the fix for the CRLF injection vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59151. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart