Bcat

**Name of the Vulnerable Software and Affected Versions** ESPHome versions 2025.8.0 **Description** ESPHome's web server authentication check can incorrectly pass when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web server functionality, including Over-The-Air (OTA) updates if enabled, without knowing the correct username or password. The issue is due to a flaw in the `AsyncWebServerRequest::authenticate` function, which only compares a portion of the base64-encoded username and password string. An attacker on the local network can exploit this to bypass authentication entirely and gain control of smart home devices. The `web server` component's authentication process is vulnerable due to improper validation of the base64-encoded `Authorization` header. The vulnerable component is the `web server` and the vulnerable parameter is the `Authorization` header. **Recommendations** Update to ESPHome version 2025.8.1 or later.