CVE-2024-27081

Name of the Vulnerable Software and Affected Versions ESPHome versions 2023.12.9 through 2024.2.0

Description A security misconfiguration in the edit configuration file API in the dashboard component of ESPHome allows authenticated remote attackers to read and write arbitrary files under the configuration directory, rendering remote code execution possible. This issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards. It also allows accessing sensitive information such as esphome.json and board firmware source code, enabling a user to modify the board firmware and leak secrets such as WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password, and API encryption key.

Recommendations For ESPHome version 2023.12.9, update to version 2024.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the configuration directory to minimize the risk of exploitation. Avoid using the configuration parameter in the /edit API endpoint until the issue is resolved.