CVE-2025-57808
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-02

Last updated on: 2025-09-10

Assigner: GitHub, Inc.

Description
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-02
Last Modified
2025-09-10
Generated
2026-06-16
AI Q&A
2025-09-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57808
EUVD
EUVD-2025-26385
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
esphome esphome_firmware 2025.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-303 The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authentication bypass in the ESPHome web_server component on the ESP-IDF platform. The authentication check incorrectly allows access when the client-supplied base64-encoded Authorization header is empty or only a substring (prefix) of the correct value. This happens because the code compares only part of the provided credentials instead of the full string, allowing unauthorized users to bypass authentication without knowing the correct username or password. [1, 2]

Impact Analysis

This vulnerability allows attackers on the local network to gain unauthorized access to the ESPHome web_server functionalities, including over-the-air (OTA) updates if enabled, without any credentials. This compromises the confidentiality and integrity of the device, as attackers can control or modify the device remotely. The vulnerability has a high severity score (CVSS 8.1) and requires no privileges or user interaction to exploit. [2]

Detection Guidance

This vulnerability can be detected by attempting to access the ESPHome web_server with an empty or truncated base64-encoded Authorization header and observing if authentication is bypassed. For example, using curl commands to send HTTP requests with incomplete or empty Authorization headers can test for the vulnerability. A sample command to test might be: curl -v -H "Authorization: Basic " http://<target-ip>/, or curl -v -H "Authorization: Basic dXNlcjpz" http://<target-ip>/ where 'dXNlcjpz' is a truncated base64 string of 'user:s'. If access is granted without valid credentials, the system is vulnerable. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading ESPHome to version 2025.8.1 or later, where the vulnerability is patched. Until the upgrade can be performed, it is recommended to disable the web_server component, especially if OTA updates are enabled, to prevent unauthorized access. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57808. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart