CVE-2025-59151

HIGH EPSS 31.6%

Published Oct 27, 20258mo ago · Modified Jun 17, 20261w ago

8.2 CVSS 3.1

High

Published Oct 27, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.

CVSS Details

Base Score

8.2

Exploitability

3.9

Impact

4.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability Low

Threat Intelligence

EPSS Exploit Probability

31.6% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 2

CWE-113

CWE-93

Affected Products 1

Vendor	Product	Version	Range
pi-hole	web_interface	*	<6.3

References 1

github.com https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.