CVE-2025-59151
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59151
EUVD
EUVD-2025-36364
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pi-hole web_interface to 6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Carriage Return Line Feed (CRLF) injection in the Pi-hole Admin Interface before version 6.3. When a request is made to a file ending with the .lp extension, the application redirects without properly sanitizing input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate HTTP response headers and content, allowing injection of arbitrary HTTP headers. This can lead to session fixation, cache poisoning, and bypassing browser security mechanisms like Content Security Policy or X-XSS-Protection.

Impact Analysis

This vulnerability can impact you by allowing attackers to manipulate HTTP response headers, which can result in session fixation (taking over user sessions), cache poisoning (serving malicious content), and weakening or bypassing browser security features. These impacts can compromise the security and integrity of your network-level advertisement and tracker blocking managed by Pi-hole.

Mitigation Strategies

Upgrade the Pi-hole Admin Interface to version 6.3 or later, as this version contains the fix for the CRLF injection vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59151. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart