CVE-2025-59151

Name of the Vulnerable Software and Affected Versions Pi-hole Admin Interface versions prior to 6.3

Description The Pi-hole Admin Interface, a web interface for managing the Pi-hole advertisement and internet tracker blocking application, contains a Carriage Return Line Feed (CRLF) injection flaw. When handling requests for files ending with the .lp extension, the application fails to properly sanitize input, allowing attackers to inject carriage return and line feed characters (%0d%0a). This enables manipulation of HTTP response headers and content, potentially leading to session fixation, cache poisoning, and weakening of browser security mechanisms like Content Security Policy or X-XSS-Protection. The vulnerability occurs when a request is made to a file ending with the .lp extension, and the application performs a redirect without proper input sanitization.

Recommendations Update to version 6.3 or later.