CVE-2025-25305

Name of the Vulnerable Software and Affected Versions: Home Assistant Core versions prior to 2024.1.6

Description: The issue concerns a potential man-in-the-middle attack due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, aiohttp-session/request had the parameter verify ssl to control SSL certificate verification, which was a boolean value. However, in aiohttp 3.0, this parameter was deprecated in favor of the ssl parameter. When ssl is set to None or provided with a correct configured SSL context, the standard SSL certificate verification will happen. During migration, some integrations and 3rd party libraries used request.ssl = True, unintentionally turning off SSL certificate verification. This opened up a man-in-the-middle attack vector.

Recommendations: For versions prior to 2024.1.6, upgrade to version 2024.1.6 to address the issue. As a temporary workaround, consider disabling the use of ssl=True in affected integrations and libraries until the issue is resolved. Restrict access to affected API endpoints, such as those using aiohttp-session/request, to minimize the risk of exploitation. Avoid using the ssl parameter with a value of True in affected API endpoints until the issue is resolved.