High severityNVD Advisory· Published Sep 2, 2025· Updated Sep 2, 2025
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
CVE-2025-57808
Description
ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
esphomePyPI | < 2025.8.1 | 2025.8.1 |
Affected products
1Patches
12aceb56606ecMerge commit from fork
1 file changed · +1 −1
esphome/components/web_server_idf/web_server_idf.cpp+1 −1 modified@@ -253,7 +253,7 @@ bool AsyncWebServerRequest::authenticate(const char *username, const char *passw esp_crypto_base64_encode(reinterpret_cast<uint8_t *>(digest.get()), n, &out, reinterpret_cast<const uint8_t *>(user_info.c_str()), user_info.size()); - return strncmp(digest.get(), auth_str + auth_prefix_len, auth.value().size() - auth_prefix_len) == 0; + return strcmp(digest.get(), auth_str + auth_prefix_len) == 0; } void AsyncWebServerRequest::requestAuthentication(const char *realm) const {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-mxh2-ccgj-8635ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57808ghsaADVISORY
- github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbe5ghsax_refsource_MISCWEB
- github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.