CVE-2023-41899 MEDIUM

CVE-2023-41899: Partial Server-Side Request Forgery in Home Assistant Core

Vendor Home-Assistant
Product core
Weakness CWE-918 · SSRF
Published October 19, 2023
Last update September 12, 2024
View on NVD All CVEs

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Home assistant is an open source home automation. In affected versions the `hassio.addon_stdin` is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service (e.g.: through GHSA-h2jp-7grc-9xpp) may be able to invoke any Supervisor REST API endpoints with a POST request. An attacker able to exploit will be able to control the data dictionary, including its addon and input key/values. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-162`.

Key dates

02Disclosure timeline

October 19, 2023 CVE published
September 12, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-25777 Server-Side Request Forgery in Asset section CVE-2023-42477 Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) CVE-2022-1191 SSRF on index.php/cobrowse/proxycss/ in livehelperchat/livehelperchat CVE-2025-14627 WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass CVE-2025-47791 Nextcloud Server's test remote endpoint is not rate limited