EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7.
Metrics
Affected Vendors & Products
References
History
Tue, 05 Aug 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 05 Aug 2025 07:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Espocrm
Espocrm espocrm |
|
Vendors & Products |
Espocrm
Espocrm espocrm |
Tue, 05 Aug 2025 00:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7. | |
Title | EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache | |
Weaknesses | CWE-444 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-08-05T00:17:16.047Z
Updated: 2025-08-05T13:48:45.234Z
Reserved: 2025-06-20T17:42:25.709Z
Link: CVE-2025-52892

Updated: 2025-08-05T13:48:42.687Z

Status : Awaiting Analysis
Published: 2025-08-05T01:15:39.827
Modified: 2025-08-05T14:34:17.327
Link: CVE-2025-52892

No data.