GHSA-mxh2-ccgj-8635
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mxh2-ccgj-8635
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-mxh2-ccgj-8635/GHSA-mxh2-ccgj-8635.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mxh2-ccgj-8635
- Aliases
- Related
- Published
- 2025-09-02T16:46:58Z
- Modified
- 2025-09-02T17:12:32.501082Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
- Details
-
Summary
On the ESP-IDF platform, ESPHome's
web_serverauthentication check can pass incorrectly when the client-supplied base64-encodedAuthorizationvalue is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access toweb_serverfunctionality (including OTA, if enabled) without knowing any information about the correct username or password.Details
The HTTP basic auth check in
web_server_idf'sAsyncWebServerRequest::authenticateonly compares up toauth.value().size() - auth_prefix_lenbytes of the base64-encodeduser:passstring. This means a client-provided valuer likedXNlcjpz(user:s) will pass the check when the correct value is much longer, e.g.,dXNlcjpzb21lcmVhbGx5bG9uZ3Bhc3M=(user:somereallylongpass).Furthermore, the check will also pass when the supplied value is the empty string, which removes the need to know (or brute force) the username. A browser won't generally issue such a request, but it can easily be done by manually constructing the
Authorizaztionrequest header (e.g., viacurl).PoC
Configure ESPHome as follows:
esp32: board: ... framework: type: esp-idf web_server: auth: username: user password: somereallylongpassIn a browser, you can correctly log in by supplying username
userand passwordsomereallylongpass... but you can also incorrectly log in by supplying substrings of the password whose base64-encoded digest matches a prefix of the correct digest. (For example, I was able to log into an ESPHome device so configured by supplying passwordsome... or even justs.)You can also use a tool like
curlto manually set anAuthorizationrequest header that always passes the check without any knowledge of the username:$ curl -D- http://example.local/ HTTP/1.1 401 Unauthorized ... $ curl -D- -H 'Authorization: Basic ' http://example.local/ HTTP/1.1 200 OK ...Impact
This vulnerability effectively nullifies basic auth support for the ESP-IDF
web_server, allowing auth bypass from another device on the local network with no knowledge of the correct username or password required.Remediation
This vulnerability is fixed in 2025.8.1 and later.
For older versions, disabling the
web_servercomponent on ESP-IDF devices may be prudent, particularly if OTA updates throughweb_serverare enabled. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-09-02T16:46:58Z", "severity": "HIGH", "nvd_published_at": "2025-09-02T01:15:29Z", "cwe_ids": [ "CWE-187", "CWE-303" ] }- References
Affected packages
PyPI / esphome
Package
- Name
- esphome
- View open source insights on deps.dev
- Purl
- pkg:pypi/esphome
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2025.8.1