HTTP response splitting in FortiProxy and FortiOS - CVE-2025-62675

 

HTTP response splitting in FortiProxy and FortiOS - CVE-2025-62675

Published: July 14, 2026


Vulnerability identifier: #VU137529
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-62675
CWE-ID: CWE-113
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiProxy
FortiOS

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper neutralization of crlf sequences in http headers ('http response splitting') in Web Filter warning page. An attacker in possession of a valid web filter override token can inject arbitrary headers via tricking a user into clicking on a crafted link.


How to mitigate CVE-2025-62675

Install update from vendor's website.

Sources