CWE-303
AllowedIncorrect Implementation of Authentication Algorithm
Abstraction: Base · Status: Draft
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
153 vulnerabilities reference this CWE, most recent first.
GHSA-H9Q2-GJ3J-2X77
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31D-Link DIR-X3260 prog.cgi Incorrect Implementation of Authentication Algorithm Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-X3260 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the prog.cgi executable. The issue results from an incorrect implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the device. Was ZDI-CAN-21100.
{
"affected": [],
"aliases": [
"CVE-2023-44420"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:56Z",
"severity": "HIGH"
},
"details": "D-Link DIR-X3260 prog.cgi Incorrect Implementation of Authentication Algorithm Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-X3260 routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the prog.cgi executable. The issue results from an incorrect implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the device. Was ZDI-CAN-21100.",
"id": "GHSA-h9q2-gj3j-2x77",
"modified": "2024-05-03T03:31:04Z",
"published": "2024-05-03T03:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44420"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1518"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HM57-H27X-599C
Vulnerability from github – Published: 2024-10-28 15:31 – Updated: 2024-10-30 18:50Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 incorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20240821220019-0d6b1070a26f"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-10214"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-28T18:43:49Z",
"nvd_published_at": "2024-10-28T15:15:04Z",
"severity": "LOW"
},
"details": "Mattermost versions 9.11.X \u003c= 9.11.1, 9.5.x \u003c= 9.5.9 incorrectly issues two sessions when using desktop SSO - one in the browser and one in desktop with incorrect settings.",
"id": "GHSA-hm57-h27x-599c",
"modified": "2024-10-30T18:50:51Z",
"published": "2024-10-28T15:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10214"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/0d6b1070a26f0b9fc13f7e7fbbe18b6a31570c5a"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hm57-h27x-599c"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mattermost incorrectly issues two sessions when using desktop SSO"
}
GHSA-J8HH-2V2C-WQMV
Vulnerability from github – Published: 2024-01-12 09:30 – Updated: 2024-01-12 09:30Insufficient authentication flow in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows attacker to use locked credentials
{
"affected": [],
"aliases": [
"CVE-2023-31211"
],
"database_specific": {
"cwe_ids": [
"CWE-303",
"CWE-670",
"CWE-691"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-12T08:15:43Z",
"severity": "HIGH"
},
"details": "Insufficient authentication flow in Checkmk before 2.2.0p17, 2.1.0p37 and 2.0.0p39 allows attacker to use locked credentials",
"id": "GHSA-j8hh-2v2c-wqmv",
"modified": "2024-01-12T09:30:29Z",
"published": "2024-01-12T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31211"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16227"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH98-QR76-24J7
Vulnerability from github – Published: 2025-03-25 06:30 – Updated: 2025-03-25 06:30An Incorrect Implementation of Authentication Algorithm and Exposure of Data Element to Wrong Ses-sion vulnerability in the session handling used in B&R APROL <4.4-00P5 may allow an authenticated network attacker to take over a currently active user session without login credentials.
{
"affected": [],
"aliases": [
"CVE-2024-8314"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-25T05:15:40Z",
"severity": "MODERATE"
},
"details": "An Incorrect Implementation of Authentication Algorithm and Exposure of Data Element to Wrong Ses-sion vulnerability in the session handling used in B\u0026R APROL \u003c4.4-00P5 may allow an authenticated network attacker to take over a currently active user session without login credentials.",
"id": "GHSA-jh98-qr76-24j7",
"modified": "2025-03-25T06:30:26Z",
"published": "2025-03-25T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8314"
},
{
"type": "WEB",
"url": "https://www.br-automation.com/fileadmin/SA24P015-77573c08.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M2H6-V37R-R43P
Vulnerability from github – Published: 2023-06-14 00:30 – Updated: 2025-10-22 00:32Microsoft SharePoint Server Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-29357"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T00:15:09Z",
"severity": "CRITICAL"
},
"details": "Microsoft SharePoint Server Elevation of Privilege Vulnerability",
"id": "GHSA-m2h6-v37r-r43p",
"modified": "2025-10-22T00:32:44Z",
"published": "2023-06-14T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29357"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29357"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M3XW-WJV6-WX6X
Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-20 00:00A vulnerability has been identified in Opcenter Quality V13.1 (All versions < V13.1.20220624), Opcenter Quality V13.2 (All versions < V13.2.20220624). The affected applications do not properly validate login information during authentication. This could lead to denial of service condition for existing users or allow unauthenticated remote attackers to successfully login without credentials.
{
"affected": [],
"aliases": [
"CVE-2022-33736"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T10:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Opcenter Quality V13.1 (All versions \u003c V13.1.20220624), Opcenter Quality V13.2 (All versions \u003c V13.2.20220624). The affected applications do not properly validate login information during authentication. This could lead to denial of service condition for existing users or allow unauthenticated remote attackers to successfully login without credentials.",
"id": "GHSA-m3xw-wjv6-wx6x",
"modified": "2022-07-20T00:00:18Z",
"published": "2022-07-13T00:01:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33736"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-944952.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9QP-FRXF-WHQW
Vulnerability from github – Published: 2026-01-07 18:30 – Updated: 2026-01-07 18:30Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K.
{
"affected": [],
"aliases": [
"CVE-2025-4676"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T17:16:00Z",
"severity": "HIGH"
},
"details": "Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K.",
"id": "GHSA-m9qp-frxf-whqw",
"modified": "2026-01-07T18:30:25Z",
"published": "2026-01-07T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4676"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MC2F-JGJ6-6CP3
Vulnerability from github – Published: 2025-05-30 15:30 – Updated: 2025-05-30 18:48Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.7.0-rc1"
},
{
"fixed": "10.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.6.0-rc1"
},
{
"fixed": "10.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0-rc1"
},
{
"fixed": "10.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-rc1"
},
{
"fixed": "9.11.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20250402193107-65343f84a783"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3230"
],
"database_specific": {
"cwe_ids": [
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-30T18:48:27Z",
"nvd_published_at": "2025-05-30T15:15:41Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 10.7.x \u003c= 10.7.0, 10.6.x \u003c= 10.6.2, 10.5.x \u003c= 10.5.3, 9.11.x \u003c= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.",
"id": "GHSA-mc2f-jgj6-6cp3",
"modified": "2025-05-30T18:48:28Z",
"published": "2025-05-30T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3230"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/65343f84a7830fa8078fe3df879fca924e4fac01"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to properly invalidate personal access tokens upon user deactivation"
}
GHSA-MP6X-97XJ-9X62
Vulnerability from github – Published: 2025-11-27 18:30 – Updated: 2025-12-01 23:57Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20251022210333-acda1fb5dd46"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.12.0"
},
{
"fixed": "10.12.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.11.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.5.0"
},
{
"fixed": "10.5.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12421"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-01T23:57:10Z",
"nvd_published_at": "2025-11-27T18:15:46Z",
"severity": "CRITICAL"
},
"details": "Mattermost versions 11.0.x \u003c= 11.0.2, 10.12.x \u003c= 10.12.1, 10.11.x \u003c= 10.11.4, 10.5.x \u003c= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).",
"id": "GHSA-mp6x-97xj-9x62",
"modified": "2025-12-01T23:57:10Z",
"published": "2025-11-27T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12421"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/5072bbf689a46b3b97b2373f26149f5891396e6b"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/acda1fb5dd46a2f46c76ae67012423c760525eaa"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/f361e7d75a7ab9df5a2106e1ceb919b94b55e41d"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/feb598ed2b7ac3cb78a253b032ad7e4628b0de00"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to to verify the token used during code exchange"
}
GHSA-MXH2-CCGJ-8635
Vulnerability from github – Published: 2025-09-02 16:46 – Updated: 2025-09-02 16:46Summary
On the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password.
Details
The HTTP basic auth check in web_server_idf's AsyncWebServerRequest::authenticate only compares up to auth.value().size() - auth_prefix_len bytes of the base64-encoded user:pass string. This means a client-provided valuer like dXNlcjpz (user:s) will pass the check when the correct value is much longer, e.g., dXNlcjpzb21lcmVhbGx5bG9uZ3Bhc3M= (user:somereallylongpass).
Furthermore, the check will also pass when the supplied value is the empty string, which removes the need to know (or brute force) the username. A browser won't generally issue such a request, but it can easily be done by manually constructing the Authorizaztion request header (e.g., via curl).
PoC
Configure ESPHome as follows:
esp32:
board: ...
framework:
type: esp-idf
web_server:
auth:
username: user
password: somereallylongpass
In a browser, you can correctly log in by supplying username user and password somereallylongpass... but you can also incorrectly log in by supplying substrings of the password whose base64-encoded digest matches a prefix of the correct digest. (For example, I was able to log into an ESPHome device so configured by supplying password some... or even just s.)
You can also use a tool like curl to manually set an Authorization request header that always passes the check without any knowledge of the username:
$ curl -D- http://example.local/
HTTP/1.1 401 Unauthorized
...
$ curl -D- -H 'Authorization: Basic ' http://example.local/
HTTP/1.1 200 OK
...
Impact
This vulnerability effectively nullifies basic auth support for the ESP-IDF web_server, allowing auth bypass from another device on the local network with no knowledge of the correct username or password required.
Remediation
This vulnerability is fixed in 2025.8.1 and later.
For older versions, disabling the web_server component on ESP-IDF devices may be prudent, particularly if OTA updates through web_server are enabled.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2025.8.0"
},
"package": {
"ecosystem": "PyPI",
"name": "esphome"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-57808"
],
"database_specific": {
"cwe_ids": [
"CWE-187",
"CWE-303"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-02T16:46:58Z",
"nvd_published_at": "2025-09-02T01:15:29Z",
"severity": "HIGH"
},
"details": "### Summary\nOn the ESP-IDF platform, ESPHome\u0027s [`web_server` authentication](https://esphome.io/components/web_server.html#configuration-variables) check can pass incorrectly when the client-supplied base64-encoded `Authorization` value is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access to `web_server` functionality (including OTA, if enabled) without knowing any information about the correct username or password.\n\n### Details\nThe HTTP basic auth check in `web_server_idf`\u0027s [`AsyncWebServerRequest::authenticate`](https://github.com/esphome/esphome/blob/ef2121a215890d46dc1d25ad363611ecadc9e25e/esphome/components/web_server_idf/web_server_idf.cpp#L256) only compares up to `auth.value().size() - auth_prefix_len` bytes of the base64-encoded `user:pass` string. This means a client-provided valuer like `dXNlcjpz` (`user:s`) will pass the check when the correct value is much longer, e.g., `dXNlcjpzb21lcmVhbGx5bG9uZ3Bhc3M=` (`user:somereallylongpass`).\n\nFurthermore, the check will also pass when the supplied value is the empty string, which removes the need to know (or brute force) the username. A browser won\u0027t generally issue such a request, but it can easily be done by manually constructing the `Authorizaztion` request header (e.g., via `curl`).\n\n### PoC\nConfigure ESPHome as follows:\n\n```yaml\nesp32:\n board: ...\n framework:\n type: esp-idf\nweb_server:\n auth:\n username: user\n password: somereallylongpass\n```\n\nIn a browser, you can correctly log in by supplying username `user` and password `somereallylongpass`... but you can _also_ incorrectly log in by supplying _substrings_ of the password whose base64-encoded digest matches a _prefix_ of the correct digest. (For example, I was able to log into an ESPHome device so configured by supplying password `some`... or even just `s`.)\n\nYou can also use a tool like `curl` to manually set an `Authorization` request header that _always_ passes the check without any knowledge of the username:\n\n```\n$ curl -D- http://example.local/\nHTTP/1.1 401 Unauthorized\n...\n\n$ curl -D- -H \u0027Authorization: Basic \u0027 http://example.local/\nHTTP/1.1 200 OK\n...\n```\n\n### Impact\nThis vulnerability effectively nullifies basic auth support for the ESP-IDF `web_server`, allowing auth bypass from another device on the local network with no knowledge of the correct username or password required.\n\n### Remediation\nThis vulnerability is fixed in 2025.8.1 and later.\n\nFor older versions, disabling the `web_server` component on ESP-IDF devices may be prudent, particularly if OTA updates through `web_server` are enabled.",
"id": "GHSA-mxh2-ccgj-8635",
"modified": "2025-09-02T16:46:58Z",
"published": "2025-09-02T16:46:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57808"
},
{
"type": "WEB",
"url": "https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbe5"
},
{
"type": "PACKAGE",
"url": "https://github.com/esphome/esphome"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header"
}
No mitigation information available for this CWE.
CAPEC-90: Reflection Attack in Authentication Protocol
An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.