CVE-2025-52892 – A path traversal vulnerability in EspoCRM versi... (How to Fix)

Q: What is the severity of CVE-2025-52892?

CVE-2025-52892 has a CVSS score of 4.5 (MEDIUM). A path traversal vulnerability in EspoCRM versions 9.1.6 and below allows attackers to corrupt the Slim router's cache by accessing URLs with double slashes. This renders the instance unusable until a complete rebuild is performed. All EspoCRM instances running vulnerable versions are affected.

📋 TL;DR

A path traversal vulnerability in EspoCRM versions 9.1.6 and below allows attackers to corrupt the Slim router's cache by accessing URLs with double slashes. This renders the instance unusable until a complete rebuild is performed. All EspoCRM instances running vulnerable versions are affected.

💻 Affected Systems

Products:

EspoCRM

Versions: 9.1.6 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances where the web server does not normalize or strip double slashes from URLs.

📦 What is this software?

Espocrm by Espocrm

View all CVEs affecting Espocrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service - EspoCRM becomes completely inaccessible until manual intervention and cache rebuild.

🟠

Likely Case

Temporary service disruption requiring administrator intervention to clear corrupted cache.

🟢

If Mitigated

Minimal impact if web server strips double slashes or if using unaffected versions.

🌐 Internet-Facing: MEDIUM - Exploitable via web requests but requires specific URL patterns and doesn't compromise data.

🏢 Internal Only: LOW - Same technical impact but limited to internal users with access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of specific URL patterns and depends on web server configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1.7

Vendor Advisory: https://github.com/espocrm/espocrm/security/advisories/GHSA-26x2-6wch-j8pf

Restart Required: No

Instructions:

1. Backup your EspoCRM instance and database. 2. Download version 9.1.7 or later from the official repository. 3. Replace the existing installation files with the updated version. 4. Clear the cache directory if corruption occurred.

🔧 Temporary Workarounds

Web Server URL Normalization

all

Configure web server (Apache/Nginx) to normalize URLs by removing double slashes before passing to EspoCRM.

For Apache: Use mod_rewrite rules to normalize URLs
For Nginx: Configure location blocks to clean URLs

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block URLs with double slashes.
Monitor access logs for unusual URL patterns and implement rate limiting.

🔍 How to Verify

Check if Vulnerable:

Check EspoCRM version in admin panel or via composer.json. If version is 9.1.6 or below, the system is vulnerable.

Check Version:

Check EspoCRM admin panel or examine composer.json file for version number.

Verify Fix Applied:

After upgrading to 9.1.7+, attempt to access EspoCRM with double slashes in URL (e.g., https://domain//#Admin) - system should remain functional.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing double slashes in URLs
Slim router cache errors or corruption messages

Network Indicators:

Unusual patterns of requests with double slashes from single IPs

SIEM Query:

web_access_logs WHERE url CONTAINS '//' AND status_code != 404

📊 Metadata

CVE ID: CVE-2025-52892

CVSS v3 Score: 4.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-444

EPSS Score: 0.04% exploit probability (9.9th percentile)

Published: August 5, 2025

Last Updated: September 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52892, you might also want to check these: