Executive Summary

CVE-2025-65713 is a directory traversal vulnerability in the Home Assistant Core Downloader integration before version 2025.8.0. The Downloader integration does not fully validate file paths, specifically failing to block absolute paths starting with a leading slash ('/'). This allows an attacker to supply a crafted subdirectory path that causes files to be written outside the intended download directory. Exploitation requires tricking a Home Assistant administrator into invoking the downloader.download_file service with a malicious path, enabling arbitrary file creation or overwriting anywhere on the filesystem. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on the Home Assistant server. An attacker can overwrite critical files with malicious code that executes upon Home Assistant restart, resulting in full server compromise. This includes control over connected smart home devices and theft of sensitive data. The attack requires social engineering to invoke the vulnerable service but can have severe consequences including unauthorized access and control. [2]

Useful 0 Not Useful 0

Detection Guidance

Detection involves checking if your Home Assistant Core version is prior to 2025.8.0 and if the Downloader integration is enabled. Additionally, monitoring for suspicious downloader.download_file service calls with absolute paths in the 'subdir' parameter (paths starting with '/') can indicate exploitation attempts. Since the vulnerability allows arbitrary file writes, inspecting logs for downloader service usage with absolute subdirectory paths or unexpected file writes outside the intended download directory is recommended. Specific commands depend on your system setup, but for example, you can check Home Assistant logs for downloader service calls or use commands to search for recently modified files outside expected directories. Example commands: 1) grep for downloader service calls in Home Assistant logs: `grep downloader.download_file /config/home-assistant.log` 2) find files modified recently outside the download directory: `find / -type f -mtime -1` (adjust time as needed). [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Home Assistant Core to version 2025.8.0 or later, where the vulnerability is patched by enforcing strict validation of download paths. Additionally, review and update any Downloader integration configurations to avoid using relative paths that may be affected. If upgrading immediately is not possible, restrict access to the downloader.download_file service to trusted users only and monitor for suspicious usage. Applying the patch from the official update ensures that absolute paths in the 'subdir' parameter are properly validated and rejected, preventing exploitation. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

The provided resources do not explicitly discuss the impact of CVE-2025-65713 on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows arbitrary file creation or overwriting anywhere on the filesystem, leading to potential remote code execution and full server compromise, it could indirectly affect compliance by risking unauthorized access to sensitive data and system integrity. This could result in violations of data protection and security requirements mandated by such regulations. Nonetheless, no direct statements about compliance impact are provided in the resources. [1, 2]

Useful 0 Not Useful 0