PyPi: Esphome

CVE-2025-57808

Safety vulnerability ID: 79204

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 04, 2025 Updated at Oct 09, 2025

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of the ESPHome package are vulnerable to Authentication Bypass due to improper length validation in the HTTP Basic Authentication implementation for ESP-IDF platform devices. The `AsyncWebServerRequest::authenticate` method in `web_server_idf` only compares bytes up to the length of the client-supplied base64-encoded authorization value rather than performing a full comparison against the correct credentials, allowing partial password matches or empty authorization headers to pass authentication checks.

Affected package

esphome

Latest version: 2025.9.3

ESPHome is a system to configure your microcontrollers by simple yet powerful configuration files and control them remotely through Home Automation systems.

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 5.1

CVSS v3 Details

HIGH 5.1

Attack Vector (AV): ADJACENT_NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH