CVE-2025-52892

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/espocrm/espocrm/commit/929611f317ce8892ea75873b0ab3094c0c510ff3
https://github.com/espocrm/espocrm/security/advisories/GHSA-26x2-6wch-j8pf

Configurations

No configuration.

History

05 Aug 2025, 14:34

Type	Values Removed	Values Added
Summary		(es) EspoCRM es una aplicación web con un frontend diseñado como aplicación de página única y un backend con API REST escrito en PHP. En las versiones 9.1.6 y anteriores, si un usuario carga Espo en el navegador con barras diagonales dobles (p. ej., https://dominio//#Admin) y el servidor web no las elimina, puede dañar la caché del enrutador Slim. Esto inutilizará la instancia hasta que se complete la reconstrucción. Esto se solucionó en la versión 9.1.7.

05 Aug 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-05 01:15

Updated : 2025-08-05 14:34

NVD link : CVE-2025-52892

Mitre link : CVE-2025-52892

CVE.ORG link : CVE-2025-52892

JSON object : View

Products Affected

No product.

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

4.5 /10