CVE-2025-57808 — HIGH (8.1)

Vulnerability Description

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Esphome	Esphome Firmware	2025.8.0

Related Weaknesses (CWE)

CWE-303

References

https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbPatch
https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635ExploitVendor Advisory
https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635ExploitVendor Advisory

FAQ

What is CVE-2025-57808?

CVE-2025-57808 is a vulnerability with a CVSS score of 8.1 (HIGH). ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly wh...

How severe is CVE-2025-57808?

CVE-2025-57808 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-57808?

Check the references section above for vendor advisories and patch information. Affected products include: Esphome Esphome Firmware.