CVE-2025-59151

CVE-2025-59151 is a Carriage Return Line Feed (CRLF) injection vulnerability affecting the Pi-hole Admin Interface, the web-based management interface for Pi-hole, a network-level advertisement and tracker blocking application. Versions prior to 6.3 fail to properly sanitize input during redirects triggered by requests to files ending in the .lp extension. This allows attackers to inject CRLF characters (%0d%0a), manipulating both HTTP response headers and content. The issue is associated with CWE-93 (CRLF Injection) and CWE-113 (HTTP Response Splitting), earning a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).

The vulnerability can be exploited remotely over the network with low complexity, requiring no privileges or user interaction. An attacker sends a crafted request to a .lp endpoint, injecting CRLF sequences to insert arbitrary HTTP headers into the response. This enables attacks such as session fixation, cache poisoning, and circumvention of browser security features like Content Security Policy (CSP) or X-XSS-Protection, primarily impacting integrity with some availability effects.

The Pi-hole web repository advisory (GHSA-5v79-p56f-x7c4) confirms the vulnerability and states it is fixed in version 6.3 through improved input sanitization during redirects. Security practitioners should upgrade to Pi-hole Admin Interface 6.3 or later to mitigate the issue.