GHSA-M3PM-RPGG-5WJ6
Vulnerability from github – Published: 2025-02-18 19:25 – Updated: 2025-02-18 22:51
VLAI?
Summary
Home Assistant does not correctly validate SSL for outgoing requests in core and used libs
Details
Summary
Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.
Details
In the past, aiohttp-session/request had the parameter verify_ssl to control SSL certificate verification. This was a boolean value. In aiohttp 3.0, this parameter was deprecated in favor of the ssl parameter. Only when ssl is set to None or provided with a correct configured SSL context the standard SSL certificate verification will happen.
When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the verify_ssl parameter value was just moved to the new ssl parameter. This resulted in these integrations and 3rd party libraries using request.ssl = True, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.
Example: https://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84
When you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.
The general handling in Home Assistant looks good, as homeassistant.helpers.aoihttp_client._async_get_connector handles it correctly.
PoC
- Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.
- Add the integration adguard with the setting
host=expired.badssl.com,port=443,use-ssl=true,verify-ssl=true. - Check the logs - you get a HTTP 403 response.
Expected behavior:
1. The integration log shows an ssl.SSLCertVerificationError.
The following code shows the problem with ssl=True. No exception is raised when ssl=True (Python 3.11.6).
import asyncio
from ssl import SSLCertVerificationError
import aiohttp
BAD_URL = "https://expired.badssl.com/"
async def run_request(verify_ssl, result_placeholder: str):
async with aiohttp.ClientSession() as session:
exception_fired: bool = False
try:
await session.request("OPTIONS", BAD_URL, ssl=verify_ssl)
except SSLCertVerificationError:
exception_fired = True
except Exception as error:
print(error)
else:
exception_fired = False
print(result_placeholder.format(exception_result=exception_fired))
# Case 1: ssl=False --> expected result: No exception
asyncio.run(run_request(False, "Test case 1: expected result: False - result: {exception_result}"))
# Case 2: ssl=None --> expected result: Exception
asyncio.run(run_request(None, "Test case 2: expected result: True - result: {exception_result}"))
# Case 3: ssl=True --> expected result: No Exception
asyncio.run(run_request(True, "Test case 3: expected result: False - result: {exception_result}"))
Severity ?
7.0 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "homeassistant"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2024.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25305"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-940"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-18T19:25:24Z",
"nvd_published_at": "2025-02-18T19:15:29Z",
"severity": "HIGH"
},
"details": "## Summary\n\nProblem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.\n\n## Details\n\nIn the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen.\n\nWhen migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.\n\nExample:\nhttps://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84\n\nWhen you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.\n\nThe general handling in Home Assistant looks good, as `homeassistant.helpers.aoihttp_client._async_get_connector` handles it correctly.\n\n## PoC\n\n1. Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.\n2. Add the integration adguard with the setting `host=expired.badssl.com`, `port=443`, `use-ssl=true`, `verify-ssl=true`.\n3. Check the logs - you get a HTTP 403 response.\n\nExpected behavior:\n1. The integration log shows an `ssl.SSLCertVerificationError`.\n\nThe following code shows the problem with `ssl=True`. No exception is raised when `ssl=True` (Python 3.11.6).\n\n```\nimport asyncio\nfrom ssl import SSLCertVerificationError\n\nimport aiohttp\n\nBAD_URL = \"https://expired.badssl.com/\"\n\n\nasync def run_request(verify_ssl, result_placeholder: str):\n async with aiohttp.ClientSession() as session:\n exception_fired: bool = False\n try:\n await session.request(\"OPTIONS\", BAD_URL, ssl=verify_ssl)\n except SSLCertVerificationError:\n exception_fired = True\n except Exception as error:\n print(error)\n else:\n exception_fired = False\n print(result_placeholder.format(exception_result=exception_fired))\n\n\n# Case 1: ssl=False --\u003e expected result: No exception\nasyncio.run(run_request(False, \"Test case 1: expected result: False - result: {exception_result}\"))\n\n# Case 2: ssl=None --\u003e expected result: Exception\nasyncio.run(run_request(None, \"Test case 2: expected result: True - result: {exception_result}\"))\n\n# Case 3: ssl=True --\u003e expected result: No Exception\nasyncio.run(run_request(True, \"Test case 3: expected result: False - result: {exception_result}\"))\n\n```",
"id": "GHSA-m3pm-rpgg-5wj6",
"modified": "2025-02-18T22:51:42Z",
"published": "2025-02-18T19:25:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25305"
},
{
"type": "WEB",
"url": "https://github.com/home-assistant/core/commit/8c6547f1b64f4a3d9f10090b97383353c9367892"
},
{
"type": "PACKAGE",
"url": "https://github.com/home-assistant/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Home Assistant does not correctly validate SSL for outgoing requests in core and used libs"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…