Vulnerability in Espressif Arduino-esp32
CVE-2025-53007
arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The `sendHeader` function takes arbitrary input for the HTTP header name and value, concatenates t…
EPSS: 0.004 (61.8th percentile) — read the EPSS interpretation.
Affected products
- Espressif Arduino-esp32 — versions < 3.2.1, >= 3.3.0-alpha1, < 3.3.0-RC1
Weakness classification (CWE)
References
- https://github.com/espressif/arduino-esp32/security/advisories/GHSA-5476-9jjq-563m (x_refsource_CONFIRM)
- https://github.com/espressif/arduino-esp32/commit/21640ac82a1bb5efa8cf0b3841be1ac80add6785 (x_refsource_MISC)
- https://github.com/espressif/arduino-esp32/blob/9e61fa7e4bce59c05cb17c15b11b53b9bafca077/libraries/WebServer/src/WebServer.cpp#L504-L521 (x_refsource_MISC)
- https://github.com/espressif/arduino-esp32/blob/9e61fa7e4bce59c05cb17c15b11b53b9bafca077/libraries/WebServer/src/WebServer.cpp#L577-L582 (x_refsource_MISC)