cvelistv5 - cve-2025-25305

CVE-2025-25305 (GCVE-0-2025-25305)

Vulnerability from cvelistv5 – Published: 2025-02-18 18:53 – Updated: 2025-02-18 19:23

Summary

Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-940 - Improper Verification of Source of a Communication Channel

Assigner

GitHub_M

References

URL

Tags

https://github.com/home-assistant/core/security/a…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	home-assistant	core	Affected: < 2024.1.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25305",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-18T19:23:18.464411Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-18T19:23:41.622Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "core",
          "vendor": "home-assistant",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2024.1.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-940",
              "description": "CWE-940: Improper Verification of Source of a Communication Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-18T18:53:10.870Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6"
        }
      ],
      "source": {
        "advisory": "GHSA-m3pm-rpgg-5wj6",
        "discovery": "UNKNOWN"
      },
      "title": "SSL validation for outgoing requests in Home Assistant Core and used libs not correct"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25305",
    "datePublished": "2025-02-18T18:53:10.870Z",
    "dateReserved": "2025-02-06T17:13:33.124Z",
    "dateUpdated": "2025-02-18T19:23:41.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-25305\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-18T19:15:29.083\",\"lastModified\":\"2025-02-18T19:15:29.083\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Home Assistant Core es una automatizaci\u00f3n de origen de c\u00f3digo abierto que pone primero el control local y la privacidad. Las versiones afectadas est\u00e1n sujetas a los posibles ataques de hombre en el medio debido a la verificaci\u00f3n de certificado SSL faltante en la base de c\u00f3digo del proyecto y usaron de terceros librer\u00edas. En el pasado, `aiohttp-session`/` request \u0027ten\u00eda el par\u00e1metro `verify_ssl` para controlar la verificaci\u00f3n del certificado SSL. Este era un valor booleano. En `aiohttp` 3.0, este par\u00e1metro estaba desapercibido a favor del par\u00e1metro` SSL`. Solo cuando `SSL` se establece en` None` o se proporciona con un contexto SSL configurado correcto, la verificaci\u00f3n de certificado SSL est\u00e1ndar ocurrir\u00e1. Al migrar las integraciones en el Asistente de inicio librer\u00edas Aries utilizados por el Asistente de inicio, en algunos casos el valor del par\u00e1metro `Verify_SSL` se movi\u00f3 al nuevo par\u00e1metro` SSL`. Esto dio como resultado estas integraciones y librer\u00edas usando `request.ssl ??= true`, que desactiv\u00f3 involuntariamente la verificaci\u00f3n del certificado SSL y abri\u00f3 un vector de ataque de hombre en el medio. Este problema se ha abordado en la versi\u00f3n 2024.1.6 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-940\"}]}],\"references\":[{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-M3PM-RPGG-5WJ6

Vulnerability from github – Published: 2025-02-18 19:25 – Updated: 2025-02-18 22:51

Summary

Home Assistant does not correctly validate SSL for outgoing requests in core and used libs

Details

Summary

Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.

Details

In the past, aiohttp-session/request had the parameter verify_ssl to control SSL certificate verification. This was a boolean value. In aiohttp 3.0, this parameter was deprecated in favor of the ssl parameter. Only when ssl is set to None or provided with a correct configured SSL context the standard SSL certificate verification will happen.

When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the verify_ssl parameter value was just moved to the new ssl parameter. This resulted in these integrations and 3rd party libraries using request.ssl = True, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.

Example: https://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84

When you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.

The general handling in Home Assistant looks good, as homeassistant.helpers.aoihttp_client._async_get_connector handles it correctly.

PoC

Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.
Add the integration adguard with the setting host=expired.badssl.com, port=443, use-ssl=true, verify-ssl=true.
Check the logs - you get a HTTP 403 response.

Expected behavior: 1. The integration log shows an ssl.SSLCertVerificationError.

The following code shows the problem with ssl=True. No exception is raised when ssl=True (Python 3.11.6).

import asyncio
from ssl import SSLCertVerificationError

import aiohttp

BAD_URL = "https://expired.badssl.com/"


async def run_request(verify_ssl, result_placeholder: str):
    async with aiohttp.ClientSession() as session:
        exception_fired: bool = False
        try:
            await session.request("OPTIONS", BAD_URL, ssl=verify_ssl)
        except SSLCertVerificationError:
            exception_fired = True
        except Exception as error:
            print(error)
        else:
            exception_fired = False
        print(result_placeholder.format(exception_result=exception_fired))


# Case 1: ssl=False --> expected result: No exception
asyncio.run(run_request(False, "Test case 1: expected result: False - result: {exception_result}"))

# Case 2: ssl=None --> expected result: Exception
asyncio.run(run_request(None, "Test case 2: expected result: True - result: {exception_result}"))

# Case 3: ssl=True --> expected result: No Exception
asyncio.run(run_request(True, "Test case 3: expected result: False - result: {exception_result}"))

Severity ?

7.0 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "homeassistant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2024.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-18T19:25:24Z",
    "nvd_published_at": "2025-02-18T19:15:29Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nProblem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.\n\n## Details\n\nIn the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen.\n\nWhen migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.\n\nExample:\nhttps://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84\n\nWhen you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.\n\nThe general handling in Home Assistant looks good, as `homeassistant.helpers.aoihttp_client._async_get_connector` handles it correctly.\n\n## PoC\n\n1. Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.\n2. Add the integration adguard with the setting `host=expired.badssl.com`, `port=443`, `use-ssl=true`, `verify-ssl=true`.\n3. Check the logs - you get a HTTP 403 response.\n\nExpected behavior:\n1. The integration log shows an `ssl.SSLCertVerificationError`.\n\nThe following code shows the problem with `ssl=True`. No exception is raised when `ssl=True` (Python 3.11.6).\n\n```\nimport asyncio\nfrom ssl import SSLCertVerificationError\n\nimport aiohttp\n\nBAD_URL = \"https://expired.badssl.com/\"\n\n\nasync def run_request(verify_ssl, result_placeholder: str):\n    async with aiohttp.ClientSession() as session:\n        exception_fired: bool = False\n        try:\n            await session.request(\"OPTIONS\", BAD_URL, ssl=verify_ssl)\n        except SSLCertVerificationError:\n            exception_fired = True\n        except Exception as error:\n            print(error)\n        else:\n            exception_fired = False\n        print(result_placeholder.format(exception_result=exception_fired))\n\n\n# Case 1: ssl=False --\u003e expected result: No exception\nasyncio.run(run_request(False, \"Test case 1: expected result: False - result: {exception_result}\"))\n\n# Case 2: ssl=None --\u003e expected result: Exception\nasyncio.run(run_request(None, \"Test case 2: expected result: True - result: {exception_result}\"))\n\n# Case 3: ssl=True --\u003e expected result: No Exception\nasyncio.run(run_request(True, \"Test case 3: expected result: False - result: {exception_result}\"))\n\n```",
  "id": "GHSA-m3pm-rpgg-5wj6",
  "modified": "2025-02-18T22:51:42Z",
  "published": "2025-02-18T19:25:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant/core/commit/8c6547f1b64f4a3d9f10090b97383353c9367892"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/home-assistant/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Home Assistant does not correctly validate SSL for outgoing requests in core and used libs"
}

FKIE_CVE-2025-25305

Vulnerability from fkie_nvd - Published: 2025-02-18 19:15 - Updated: 2025-02-18 19:15

Severity ?

7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Home Assistant Core es una automatizaci\u00f3n de origen de c\u00f3digo abierto que pone primero el control local y la privacidad. Las versiones afectadas est\u00e1n sujetas a los posibles ataques de hombre en el medio debido a la verificaci\u00f3n de certificado SSL faltante en la base de c\u00f3digo del proyecto y usaron de terceros librer\u00edas. En el pasado, `aiohttp-session`/` request \u0027ten\u00eda el par\u00e1metro `verify_ssl` para controlar la verificaci\u00f3n del certificado SSL. Este era un valor booleano. En `aiohttp` 3.0, este par\u00e1metro estaba desapercibido a favor del par\u00e1metro` SSL`. Solo cuando `SSL` se establece en` None` o se proporciona con un contexto SSL configurado correcto, la verificaci\u00f3n de certificado SSL est\u00e1ndar ocurrir\u00e1. Al migrar las integraciones en el Asistente de inicio librer\u00edas Aries utilizados por el Asistente de inicio, en algunos casos el valor del par\u00e1metro `Verify_SSL` se movi\u00f3 al nuevo par\u00e1metro` SSL`. Esto dio como resultado estas integraciones y librer\u00edas usando `request.ssl ??= true`, que desactiv\u00f3 involuntariamente la verificaci\u00f3n del certificado SSL y abri\u00f3 un vector de ataque de hombre en el medio. Este problema se ha abordado en la versi\u00f3n 2024.1.6 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-25305",
  "lastModified": "2025-02-18T19:15:29.083",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-18T19:15:29.083",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-940"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-25305 (GCVE-0-2025-25305)

GHSA-M3PM-RPGG-5WJ6

Summary

Details

PoC

FKIE_CVE-2025-25305

Tags

Sightings

Nomenclature