The vulnerability identified as CVE-2025-59151 affects the Pi-hole Admin Interface, a web-based management console for Pi-hole, a popular network-level advertisement and tracker blocking application. Versions prior to 6.3 improperly handle requests to files ending with the .lp extension by performing HTTP redirects without sanitizing input containing carriage return and line feed characters (%0d%0a). This improper neutralization of CRLF sequences (CWE-93) allows attackers to inject arbitrary HTTP response headers. Such injection can manipulate HTTP responses to achieve session fixation, where an attacker sets a victim's session identifier; cache poisoning, where malicious content is cached by browsers or proxies; and weakening or bypassing browser security policies such as Content Security Policy (CSP) and X-XSS-Protection headers. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The CVSS v3.1 base score is 8.2 (high), reflecting the ease of exploitation and significant impact on integrity with limited impact on availability and no direct confidentiality loss. Although no known exploits are reported in the wild yet, the vulnerability poses a serious risk to the integrity of HTTP responses and the security posture of affected networks. The issue is resolved in Pi-hole version 6.3, which properly sanitizes input to prevent CRLF injection.

For European organizations, exploitation of this vulnerability could undermine the security and reliability of Pi-hole deployments, which are widely used to block ads and trackers at the network level. Successful attacks may allow adversaries to hijack user sessions, poison caches to serve malicious content, or bypass browser security mechanisms, increasing the risk of further attacks such as cross-site scripting or data manipulation. This could lead to compromised user privacy, degraded network security, and potential exposure to malware or phishing campaigns. Organizations relying on Pi-hole for network security and privacy, including enterprises, educational institutions, and government agencies, may face increased risk of targeted attacks or broader network compromise. Given the remote and unauthenticated exploitability, the threat is particularly concerning for publicly accessible or poorly segmented Pi-hole admin interfaces.

European organizations should immediately upgrade all Pi-hole Admin Interface installations to version 6.3 or later to remediate the vulnerability. If upgrading is not immediately feasible, organizations should restrict access to the Pi-hole admin interface by implementing network-level controls such as firewall rules or VPN access to limit exposure. Additionally, web application firewalls (WAFs) can be configured to detect and block HTTP requests containing CRLF injection patterns targeting .lp files. Monitoring HTTP logs for suspicious requests with encoded CRLF sequences (%0d%0a) can help detect attempted exploitation. Organizations should also review and enforce strict Content Security Policy headers and other browser security mechanisms to mitigate potential impacts. Regular vulnerability scanning and patch management processes should be enhanced to ensure timely updates of Pi-hole and other critical infrastructure components.