CVE-2025-62172
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| home_assistant | home_assistant | 2025.10.2 |
| home_assistant | home_assistant | 2025.10.1 |
| home_assistant | home_assistant | 2025.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62172 is a stored Cross-Site Scripting (XSS) vulnerability in the Home Assistant Energy Dashboard. It occurs because entity names containing HTML or script code are not properly sanitized before being displayed in graph tooltips. An authenticated user or a malicious energy provider can inject malicious JavaScript code into an energy entity's name. When any user views the Energy dashboard and hovers over the data points, this malicious code executes in their browser, potentially compromising their session or data. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with authenticated access or a malicious energy provider to execute arbitrary JavaScript code in the context of other users' sessions when they view the Energy dashboard. This can lead to session hijacking, data theft, or other malicious actions performed on behalf of the victim user. If exploited, it compromises the security and privacy of users interacting with the Home Assistant Energy dashboard. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Home Assistant instance is running a vulnerable version (2025.1.0 through 2025.10.1) and by inspecting energy entity names for malicious HTML or JavaScript code. Since the exploit involves stored XSS in the Energy Dashboard's graph tooltips, you can manually review or query the entity names for suspicious content. There are no specific commands provided to detect the vulnerability automatically, but you can audit the energy entities' friendly names for HTML/script tags or unusual characters. Additionally, monitoring user changes to energy entity names or reviewing energy provider data for suspicious default names may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Home Assistant to version 2025.10.2 or later, where this vulnerability has been patched. No known workarounds exist, so applying the update is critical. Additionally, restrict authenticated user permissions to prevent unauthorized changes to energy entity names and carefully vet any external energy providers to avoid malicious default entity names. [1]