Описание
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:o:esphome:esphome_firmware:2025.8.0:*:*:*:*:*:*:*
EPSS
Процентиль: 88%
0.03717
Низкий
8.1 High
CVSS3
Дефекты
CWE-303
NVD-CWE-noinfo
Связанные уязвимости
CVSS3: 8.1
github
5 месяцев назад
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
EPSS
Процентиль: 88%
0.03717
Низкий
8.1 High
CVSS3
Дефекты
CWE-303
NVD-CWE-noinfo