CVE-2025-57808

Name of the Vulnerable Software and Affected Versions ESPHome versions 2025.8.0

Description ESPHome's web server authentication check can incorrectly pass when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web server functionality, including Over-The-Air (OTA) updates if enabled, without knowing the correct username or password. The issue is due to a flaw in the AsyncWebServerRequest::authenticate function, which only compares a portion of the base64-encoded username and password string. An attacker on the local network can exploit this to bypass authentication entirely and gain control of smart home devices. The web server component's authentication process is vulnerable due to improper validation of the base64-encoded Authorization header. The vulnerable component is the web server and the vulnerable parameter is the Authorization header.

Recommendations Update to ESPHome version 2025.8.1 or later.