CVE-2025-57808
published 2025-09-02CVE-2025-57808: ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server…
PriorityP354high8.1CVSS 3.1
AVAACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.51%
71.3th percentile
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esphome | esphome | — | — |
| esphome | esphome | >= 0 < 2025.8.1 | 2025.8.1 |
| esphome | esphome_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
othershodan-query: http.title:"ESPHome"
- →Send a GET request with an empty or truncated base64-encoded Authorization header value (e.g., 'Authorization: Basic' with no trailing credential data). A 200 response containing 'Dashboard - ESPHome' in the body indicates successful authentication bypass.
- →The vulnerability is triggered when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value, causing the authentication check to pass incorrectly. ↗
- →Affected version is ESPHome 2025.8.0 on the ESP-IDF platform. Identify exposed instances via Shodan using the query http.title:"ESPHome". ↗
- →Successful exploitation grants access to web_server functionality including OTA updates without any knowledge of valid credentials. ↗
- ·The bypass only affects ESPHome version 2025.8.0 on the ESP-IDF platform specifically; other platforms or versions are not confirmed vulnerable. ↗
- ·OTA exploitation is conditional — the web_server component must have OTA enabled for that attack surface to be reachable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
ghsa·2025-09-02
CVE-2025-57808 [HIGH] CWE-187 ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
### Summary
On the ESP-IDF platform, ESPHome's [`web_server` authentication](https://esphome.io/components/web_server.html#configuration-variables) check can pass incorrectly when the client-supplied base64-encoded `Authorization` value is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access to `web_server` functionality (including OTA, if enabled) without knowing any information about the correct username or password.
### Details
The HTTP basic auth check in `web_server_idf`'s [`AsyncWebServerRequest::authenticate`](https://github.com/esphome/esphome/blob/ef2121a215890d46dc1d25ad363611ecadc9e25e/esphome/components/web_server_idf/web_server_idf.cp
OSV
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
osv·2025-09-02
CVE-2025-57808 [HIGH] ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
### Summary
On the ESP-IDF platform, ESPHome's [`web_server` authentication](https://esphome.io/components/web_server.html#configuration-variables) check can pass incorrectly when the client-supplied base64-encoded `Authorization` value is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access to `web_server` functionality (including OTA, if enabled) without knowing any information about the correct username or password.
### Details
The HTTP basic auth check in `web_server_idf`'s [`AsyncWebServerRequest::authenticate`](https://github.com/esphome/esphome/blob/ef2121a215890d46dc1d25ad363611ecadc9e25e/esphome/components/web_server_idf/web_server_idf.cp
No detection rules found.
Nuclei
ESPHome - Authentication Bypass
nuclei·CVSS 8.1
CVE-2025-57808 [HIGH] ESPHome - Authentication Bypass
ESPHome - Authentication Bypass
ESPHome 2025.8.0 contains an authentication bypass caused by improper validation of base64-encoded Authorization values in the web_server component, letting attackers access functionality without valid credentials, exploit requires crafted Authorization header.
Template:
id: CVE-2025-57808
info:
name: ESPHome - Authentication Bypass
author: sean-kim
severity: high
description: |
ESPHome 2025.8.0 contains an authentication bypass caused by improper validation of base64-encoded Authorization values in the web_server component, letting attackers access functionality without valid credentials, exploit requires crafted Authorization header.
impact: |
Attackers can bypass authentication to access web server functions, including OTA updates, potentially comprom
2025-09-02
Published