What is CVE-2025-52892?

CVE-2025-52892 is a medium-severity vulnerability in Espocrm, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 4.5/10. Published 2025-08-05.

How severe is CVE-2025-52892?

Medium severity. CVSS v3 base score is 4.5 out of 10.

Vulnerability in Espocrm

CVE-2025-52892

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.002 (39.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H.

Affected products

Espocrm — versions < 9.1.7

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

References

https://github.com/espocrm/espocrm/security/advisories/GHSA-26x2-6wch-j8pf (x_refsource_CONFIRM)
https://github.com/espocrm/espocrm/commit/929611f317ce8892ea75873b0ab3094c0c510ff3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-52892?: CVE-2025-52892 is a medium-severity vulnerability in Espocrm, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 4.5/10. Published 2025-08-05.
How severe is CVE-2025-52892?: Medium severity. CVSS v3 base score is 4.5 out of 10.