CVE-2025-53094

Name of the Vulnerable Software and Affected Versions: ESPAsyncWebServer versions up to and including 3.7.8

Description: A CRLF injection vulnerability exists in the construction and output of HTTP headers within AsyncWebHeader.cpp. Unsanitized input allows attackers to inject CR (r) or LF ( ) characters into header names or values, leading to arbitrary header or response manipulation. This can enable a wide range of attacks.

Recommendations: For versions up to and including 3.7.8, apply the fix available at pull request 211, which is expected to be part of version 3.7.9. As a temporary workaround, consider restricting the input to AsyncWebHeader.cpp to prevent CR and LF character injections until the patch is applied.