CVE-2025-57808 HIGH

CVE-2025-57808: ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header

Vendor Esphome
Product esphome
Weakness CWE-303
Published September 2, 2025
Last update September 2, 2025

CVSS base score

8.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Key dates

02Disclosure timeline

September 2, 2025 CVE published
September 2, 2025 Record updated