SB2025072430 - Multiple vulnerabilities in EspoCRM

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) LDAP injection (CVE-ID: CVE-2025-52575)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing DLAP queries. A remote attacker can send a specially crafted LDAP query to the application, manipulate the filter and gain access to sensitive information on the system.

2) Input validation error (CVE-ID: CVE-2025-52892)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input handling in the Slim router cache when processing a URI containing a double slash. A remote privileged user can load the application in a browser with a double-slash URI to cause a denial of service.

The issue occurs if the web server does not strip the double slash, and user interaction is required to load the crafted URI.

Remediation

Install update from vendor's website.

References

• https://github.com/espocrm/espocrm/commit/8649f1ac0ce714b2c31727bca3dd95d06e17337f
• https://github.com/espocrm/espocrm/security/advisories/GHSA-rjm8-77fr-4f3v
• https://github.com/espocrm/espocrm/security/advisories/GHSA-26x2-6wch-j8pf