A vital authentication bypass flaw in ESPHome’s ESP-IDF net server element permits unauthorized customers on the identical native community to entry and management good units with none legitimate credentials.
Found and reported by safety researcher jesserockz, the vulnerability (CVE-2025-57808) undermines Primary Authentication by accepting empty or partially right Authorization headers.
Customers of ESPHome model 2025.8.0 are urged to improve instantly to 2025.8.1 to mitigate the chance.
ESPHome, a preferred open-source framework for constructing firmware for good residence units, helps HTTP Primary Authentication by means of its web_server element.
On the ESP-IDF platform, this authentication mechanism fails to appropriately validate client-supplied credentials when the Authorization header’s base64 worth is empty or truncated.
By evaluating solely the preliminary bytes of the provided string towards the anticipated worth, the server grants entry if the supplied fragment matches the prefix of the legit credential.
Even an empty Authorization worth bypasses the verify completely, enabling attackers to achieve protected endpoints with no username or password information.
Proof of Idea
In a proof-of-concept demonstration, the next ESPHome configuration was used:
textual contentesp32:
board: ...
framework:
kind: esp-idf
web_server:
auth:
username: person
password: somereallylongpass
Accessing the gadget through a browser with right credentials (person:somereallylongpass) succeeds, as meant. Nonetheless, by submitting solely a substring of the password—resembling somereally, some, and even the one character s—attackers may acquire entry.
The flaw is rooted within the implementation of AsyncWebServerRequest::authenticate, which makes use of the size of the supplied header to truncate the comparability moderately than verifying your entire credential string.
A extra direct bypass may be executed utilizing a easy curl command:
textual content$ curl -D- http://instance.native/
HTTP/1.1 401 Unauthorized
…
$ curl -D- -H 'Authorization: Primary ' http://instance.native/
HTTP/1.1 200 OK
…
By sending an empty base64 token after “Primary”, the server erroneously treats this as legitimate authentication and responds with HTTP 200 OK.
Influence and Danger
This high-severity vulnerability poses a major threat to any ESPHome-powered gadget working on ESP-IDF with the web_server element enabled. Attackers with native community entry can bypass authentication to:
- Set off over-the-air (OTA) firmware updates if OTA is enabled, probably putting in malicious firmware.
- Entry gadget configuration and standing pages, revealing delicate info.
- Manipulate gadget settings or set off gadget actions with out person consent.
On condition that many good residence installations function completely inside personal LANs, attackers could leverage compromised units or strategies resembling ARP spoofing to take advantage of this flaw remotely, even with out information of legit credentials.
Mitigations
ESPHome maintainers have launched model 2025.8.1, which corrects the authentication logic by requiring the entire base64-encoded credential string to match precisely. All customers of ESPHome 2025.8.0 are strongly suggested to improve to 2025.8.1 as quickly as potential.
Till units are patched, directors ought to think about:
- Disabling the
web_serverelement on all ESP-IDF–based mostly ESPHome units. - Limiting community entry to trusted hosts solely, using VLANs or firewall guidelines.
- Disabling OTA updates through the net server and switching to different replace mechanisms.
Community segmentation and strict entry controls can cut back publicity, however the one assured treatment is making use of the patch.
- Discovery: Reported by jesserockz on GitHub Safety Advisory GHSA-mxh2-ccgj-8635, revealed 18 hours in the past.
- Affected Variations: ESPHome 2025.8.0.
- Patched Variations: ESPHome 2025.8.1.
- CVE ID: CVE-2025-57808.
- CVSS v3.1 Base Rating: 7.3 (Excessive) [AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N].
The ESPHome web_server authentication bypass is a stark reminder that delicate implementation errors can render safety measures ineffective.
Good residence operators should stay vigilant, promptly apply updates, and implement community safety finest practices to safeguard towards unauthorized entry.
Discover this Story Attention-grabbing! Comply with us on LinkedIn and X to Get Extra Immediate Updates.
