Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
EspoCRM Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) Vulnerability - CVE-2025-52892 - Vulnerability Database
EspoCRM

EspoCRM Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) Vulnerability - CVE-2025-52892

Medium
Reference: CVE-2025-52892
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-52892
Title: EspoCRM Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) Vulnerability
Overview:

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below if a user loads Espo in the browser with double slashes (e.g https://domain//Admin) and the webserver does not strip the double slash it can cause a corrupted Slim router39s cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7.