CVE-2025-59151
Published: 27 October 2025
Summary
CVE-2025-59151 is a high-severity CRLF Injection (CWE-93) vulnerability in Pi-Hole Web Interface. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of all inputs, directly preventing CRLF injection by sanitizing user-supplied data in Pi-hole Admin Interface redirects for .lp files.
SI-2 mandates timely flaw remediation, such as patching Pi-hole Admin Interface to version 6.3, which fixes the CRLF injection vulnerability.
SI-15 filters information prior to output, mitigating CRLF injection by blocking malicious characters from appearing in HTTP response headers and content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-59151 is a CRLF injection vulnerability in the public-facing Pi-hole Admin Interface web application, directly enabling remote exploitation without privileges, matching T1190: Exploit Public-Facing Application.
NVD Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file…
more
ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.
Deeper analysisAI
CVE-2025-59151 is a Carriage Return Line Feed (CRLF) injection vulnerability affecting the Pi-hole Admin Interface, the web-based management interface for Pi-hole, a network-level advertisement and tracker blocking application. Versions prior to 6.3 fail to properly sanitize input during redirects triggered by requests to files ending in the .lp extension. This allows attackers to inject CRLF characters (%0d%0a), manipulating both HTTP response headers and content. The issue is associated with CWE-93 (CRLF Injection) and CWE-113 (HTTP Response Splitting), earning a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).
The vulnerability can be exploited remotely over the network with low complexity, requiring no privileges or user interaction. An attacker sends a crafted request to a .lp endpoint, injecting CRLF sequences to insert arbitrary HTTP headers into the response. This enables attacks such as session fixation, cache poisoning, and circumvention of browser security features like Content Security Policy (CSP) or X-XSS-Protection, primarily impacting integrity with some availability effects.
The Pi-hole web repository advisory (GHSA-5v79-p56f-x7c4) confirms the vulnerability and states it is fixed in version 6.3 through improved input sanitization during redirects. Security practitioners should upgrade to Pi-hole Admin Interface 6.3 or later to mitigate the issue.
Details
- CWE(s)