2392476 – (CVE-2025-57808) CVE-2025-57808 esphome: ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header

Bug 2392476 (CVE-2025-57808) - CVE-2025-57808 esphome: ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header

Summary: CVE-2025-57808 esphome: ESP-IDF web_server basic auth bypass using empty or i...

Keywords:
Status:	NEW
Alias:	CVE-2025-57808
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2392534 2392535
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-02 01:01 UTC by OSIDB Bzimport
Modified:	2025-09-02 11:43 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-02 01:01:09 UTC

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Note You need to log in before you can comment on or make changes to this bug.