CVE-2025-25305

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-25305

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25305.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-25305

Aliases

GHSA-m3pm-rpgg-5wj6

Published

2025-02-18T18:53:10.870Z

Modified

2026-04-10T05:24:41.994691Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

SSL validation for outgoing requests in Home Assistant Core and used libs not correct

Details

Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, aiohttp-session/request had the parameter verify_ssl to control SSL certificate verification. This was a boolean value. In aiohttp 3.0, this parameter was deprecated in favor of the ssl parameter. Only when ssl is set to None or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the verify_ssl parameter value was just moved to the new ssl parameter. This resulted in these integrations and 3rd party libraries using request.ssl = True, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25305.json",
    "cwe_ids": [
        "CWE-940"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/home-assistant/core

Affected ranges

Type

GIT

Repo

https://github.com/home-assistant/core

Events

Introduced

Fixed

1f7bf7c2a9d42cc1a9b74420e601b5e0a76493c1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2024.1.6"
        }
    ]
}

Affected versions

0.*

0.103.0

0.103.0b0

0.103.0b1

0.103.1

0.103.2

0.103.3

0.103.4

0.103.5

0.103.6

0.104.0

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.105.4

0.105.5

0.106.0

0.106.1

0.106.2

0.106.3

0.106.4

0.106.5

0.106.6

0.107.0

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.107.6

0.107.7

0.108.0

0.108.1

0.108.2

0.108.3

0.108.4

0.108.5

0.108.6

0.108.7

0.108.8

0.108.9

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.110.0

0.110.1

0.110.2

0.110.3

0.110.4

0.110.5

0.110.6

0.110.7

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.112.0

0.112.1

0.112.2

0.112.3

0.112.4

0.112.5

0.113.0

0.113.1

0.113.2

0.113.3

0.114.0

0.114.1

0.114.2

0.114.3

0.114.4

0.115.0

0.115.1

0.115.2

0.115.3

0.115.4

0.115.5

0.115.6

0.116.0

0.116.1

0.116.2

0.116.3

0.116.4

0.117.0

0.117.1

0.117.2

0.117.3

0.117.4

0.117.5

0.117.6

0.118.0

0.118.1

0.118.2

0.118.3

0.118.4

0.118.5

0.28

0.7.6

0.81.1

2020.*

2020.12.0

2020.12.1

2020.12.2

2021.*

2021.1.0

2021.1.1

2021.1.2

2021.1.3

2021.1.4

2021.1.5

2021.10.0

2021.10.1

2021.10.2

2021.10.3

2021.10.4

2021.10.5

2021.10.6

2021.10.7

2021.11.0

2021.11.1

2021.11.2

2021.11.3

2021.11.4

2021.11.5

2021.12.0

2021.12.1

2021.12.10

2021.12.2

2021.12.3

2021.12.4

2021.12.5

2021.12.6

2021.12.7

2021.12.8

2021.12.9

2021.2.0

2021.2.1

2021.2.2

2021.2.3

2021.3.0

2021.3.1

2021.3.2

2021.3.3

2021.3.4

2021.4.0

2021.4.1

2021.4.2

2021.4.3

2021.4.4

2021.4.5

2021.4.6

2021.5.0

2021.5.1

2021.5.2

2021.5.3

2021.5.4

2021.5.5

2021.6.0

2021.6.1

2021.6.2

2021.6.3

2021.6.4

2021.6.5

2021.6.6

2021.7.0

2021.7.1

2021.7.2

2021.7.3

2021.7.4

2021.8.0

2021.8.1

2021.8.2

2021.8.3

2021.8.4

2021.8.5

2021.8.6

2021.8.7

2021.8.8

2021.9.0

2021.9.1

2021.9.2

2021.9.3

2021.9.4

2021.9.5

2021.9.6

2021.9.7

2022.*

2022.10.0

2022.10.1

2022.10.2

2022.10.3

2022.10.4

2022.10.5

2022.11.0

2022.11.1

2022.11.2

2022.11.3

2022.11.4

2022.11.5

2022.12.0

2022.12.1

2022.12.2

2022.12.3

2022.12.4

2022.12.5

2022.12.6

2022.12.7

2022.12.8

2022.12.9

2022.2.0

2022.2.1

2022.2.2

2022.2.3

2022.2.4

2022.2.5

2022.2.6

2022.2.7

2022.2.8

2022.2.9

2022.3.0

2022.3.1

2022.3.2

2022.3.3

2022.3.4

2022.3.5

2022.3.6

2022.3.7

2022.3.8

2022.4.0

2022.4.1

2022.4.2

2022.4.3

2022.4.4

2022.4.5

2022.4.6

2022.4.7

2022.5.0

2022.5.1

2022.5.2

2022.5.3

2022.5.4

2022.5.5

2022.6.0

2022.6.1

2022.6.2

2022.6.3

2022.6.4

2022.6.5

2022.6.6

2022.6.7

2022.7.0

2022.7.1

2022.7.2

2022.7.3

2022.7.4

2022.7.5

2022.7.6

2022.7.7

2022.8.0

2022.8.1

2022.8.2

2022.8.3

2022.8.4

2022.8.5

2022.8.6

2022.8.7

2022.9.0

2022.9.1

2022.9.2

2022.9.3

2022.9.4

2022.9.5

2022.9.6

2022.9.7

2023.*

2023.1.0

2023.1.1

2023.1.2

2023.1.3

2023.1.4

2023.1.5

2023.1.6

2023.1.7

2023.10.0

2023.10.1

2023.10.2

2023.10.3

2023.10.4

2023.10.5

2023.11.0

2023.11.1

2023.11.2

2023.11.3

2023.12.0

2023.12.1

2023.12.2

2023.12.3

2023.12.4

2023.2.0

2023.2.1

2023.2.2

2023.2.3

2023.2.4

2023.2.5

2023.3.0

2023.3.1

2023.3.2

2023.3.3

2023.3.4

2023.3.5

2023.3.6

2023.4.0

2023.4.1

2023.4.2

2023.4.3

2023.4.4

2023.4.5

2023.4.6

2023.5.0

2023.5.1

2023.5.2

2023.5.3

2023.5.4

2023.6.0

2023.6.1

2023.6.2

2023.6.3

2023.7.0

2023.7.1

2023.7.2

2023.7.3

2023.8.0

2023.8.1

2023.8.2

2023.8.3

2023.8.4

2023.9.0

2023.9.1

2023.9.2

2023.9.3

2024.*

2024.1.0

2024.1.1

2024.1.2

2024.1.3

2024.1.4

2024.1.5

Other

Last-Python2-release

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25305.json"