“`html
A significant security flaw detected in ESPHome’s web server component has rendered thousands of smart home devices vulnerable to unauthorized entry, essentially negating basic authentication safeguards on ESP-IDF platform implementations.
The vulnerability, cataloged as CVE-2025-57808 with a CVSS rating of 8.1, impacts ESPHome version 2025.8.0, permitting attackers to circumvent authentication systems without any knowledge of valid credentials.
This issue originates from a critical logic malfunction in the HTTP basic authentication validation within ESPHome’s web_server_idf component.
During the processing of authentication requests, the system’s AsyncWebServerRequest::authenticate function solely compares bytes up to the length of the authorization value provided by the client, rather than verifying the entire credential string.
This implementation error establishes two unique attack vectors that entirely jeopardize device security.
The most alarming aspect of this flaw pertains to empty authorization headers, where attackers can achieve total access by merely sending a request with Authorization: Basic followed by an empty string.
Analysts from GitHub discovered that this attack vector necessitates no prior knowledge of usernames or passwords, making it especially perilous for nearby attackers.
Moreover, the flaw also permits partial password matches, indicating that an attacker who uncovers even a segment of the correct password can successfully authenticate.
Attack Mechanism and Technical Exploitation
The technical basis of this vulnerability resides in the flawed string comparison logic that processes base64-encoded credentials.
When a legitimate device is configured with credentials like user:somereallylongpass (encoded as dXNlcjpzb21lcmVhbGx5bG9uZ3Bhc3M=), the faulty authentication verification accepts shorter strings such as dXNlcjpz (representing user:s) as valid credentials.
Practical exploitation necessitates little technical expertise. Attackers can employ simple curl commands to illustrate the vulnerability:
curl -D- -H 'Authorization: Basic ' http://target.local/This command entirely circumvents authentication, returning HTTP 200 responses instead of the anticipated 401 Unauthorized status.
The vulnerability becomes particularly worrisome when Over-The-Air (OTA) update functionality is enabled, as attackers can gain full control over device firmware and configuration parameters.
ESPHome rectified this critical issue in version 2025.8.1, implementing accurate credential validation that compares complete authorization strings rather than just partial matches.
“`