CVE-2025-57808

Published: Sep 2, 2025

Modified: Sep 2, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Vendor	Product	Versions
esphome	esphome	affected `= 2025.8.0`

Weaknesses (CWE)

CWE-303

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635

x_refsource_CONFIRM

https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbe5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-57808

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References