CVE-2025-25305
Description
Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, aiohttp-session/request had the parameter verify_ssl to control SSL certificate verification. This was a boolean value. In aiohttp 3.0, this parameter was deprecated in favor of the ssl parameter. Only when ssl is set to None or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the verify_ssl parameter value was just moved to the new ssl parameter. This resulted in these integrations and 3rd party libraries using request.ssl = True, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
homeassistantPyPI | < 2024.1.6 | 2024.1.6 |
Patches
21f7bf7c2a9d48c6547f1b64fPass default SSLContext instances to Octoprint custom HTTP sessions (#105351)
2 files changed · +8 −2
homeassistant/components/octoprint/config_flow.py+4 −1 modified@@ -24,6 +24,7 @@ ) from homeassistant.data_entry_flow import FlowResult import homeassistant.helpers.config_validation as cv +from homeassistant.util.ssl import get_default_context, get_default_no_verify_context from .const import DOMAIN @@ -264,7 +265,9 @@ def _get_octoprint_client(self, user_input: dict) -> OctoprintClient: connector = aiohttp.TCPConnector( force_close=True, - ssl=False if not verify_ssl else None, + ssl=get_default_no_verify_context() + if not verify_ssl + else get_default_context(), ) session = aiohttp.ClientSession(connector=connector) self._sessions.append(session)
homeassistant/components/octoprint/__init__.py+4 −1 modified@@ -26,6 +26,7 @@ import homeassistant.helpers.config_validation as cv from homeassistant.helpers.typing import ConfigType from homeassistant.util import slugify as util_slugify +from homeassistant.util.ssl import get_default_context, get_default_no_verify_context from .const import DOMAIN from .coordinator import OctoprintDataUpdateCoordinator @@ -159,7 +160,9 @@ async def async_setup_entry(hass: HomeAssistant, entry: ConfigEntry) -> bool: connector = aiohttp.TCPConnector( force_close=True, - ssl=False if not entry.data[CONF_VERIFY_SSL] else None, + ssl=get_default_no_verify_context() + if not entry.data[CONF_VERIFY_SSL] + else get_default_context(), ) session = aiohttp.ClientSession(connector=connector)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.