GHSA-MXH2-CCGJ-8635

Vulnerability from github – Published: 2025-09-02 16:46 – Updated: 2025-09-02 16:46
VLAI?
Summary
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
Details

Summary

On the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password.

Details

The HTTP basic auth check in web_server_idf's AsyncWebServerRequest::authenticate only compares up to auth.value().size() - auth_prefix_len bytes of the base64-encoded user:pass string. This means a client-provided valuer like dXNlcjpz (user:s) will pass the check when the correct value is much longer, e.g., dXNlcjpzb21lcmVhbGx5bG9uZ3Bhc3M= (user:somereallylongpass).

Furthermore, the check will also pass when the supplied value is the empty string, which removes the need to know (or brute force) the username. A browser won't generally issue such a request, but it can easily be done by manually constructing the Authorizaztion request header (e.g., via curl).

PoC

Configure ESPHome as follows:

esp32:
  board: ...
  framework:
    type: esp-idf
web_server:
  auth:
    username: user
    password: somereallylongpass

In a browser, you can correctly log in by supplying username user and password somereallylongpass... but you can also incorrectly log in by supplying substrings of the password whose base64-encoded digest matches a prefix of the correct digest. (For example, I was able to log into an ESPHome device so configured by supplying password some... or even just s.)

You can also use a tool like curl to manually set an Authorization request header that always passes the check without any knowledge of the username:

$ curl -D- http://example.local/
HTTP/1.1 401 Unauthorized
...

$ curl -D- -H 'Authorization: Basic ' http://example.local/
HTTP/1.1 200 OK
...

Impact

This vulnerability effectively nullifies basic auth support for the ESP-IDF web_server, allowing auth bypass from another device on the local network with no knowledge of the correct username or password required.

Remediation

This vulnerability is fixed in 2025.8.1 and later.

For older versions, disabling the web_server component on ESP-IDF devices may be prudent, particularly if OTA updates through web_server are enabled.

Severity ?
8.1 (High)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2025.8.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "esphome"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2025.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-187",
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-02T16:46:58Z",
    "nvd_published_at": "2025-09-02T01:15:29Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nOn the ESP-IDF platform, ESPHome\u0027s [`web_server` authentication](https://esphome.io/components/web_server.html#configuration-variables) check can pass incorrectly when the client-supplied base64-encoded `Authorization` value is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access to `web_server` functionality (including OTA, if enabled) without knowing any information about the correct username or password.\n\n### Details\nThe HTTP basic auth check in `web_server_idf`\u0027s [`AsyncWebServerRequest::authenticate`](https://github.com/esphome/esphome/blob/ef2121a215890d46dc1d25ad363611ecadc9e25e/esphome/components/web_server_idf/web_server_idf.cpp#L256) only compares up to `auth.value().size() - auth_prefix_len` bytes of the base64-encoded `user:pass` string. This means a client-provided valuer like `dXNlcjpz` (`user:s`) will pass the check when the correct value is much longer, e.g., `dXNlcjpzb21lcmVhbGx5bG9uZ3Bhc3M=` (`user:somereallylongpass`).\n\nFurthermore, the check will also pass when the supplied value is the empty string, which removes the need to know (or brute force) the username. A browser won\u0027t generally issue such a request, but it can easily be done by manually constructing the `Authorizaztion` request header (e.g., via `curl`).\n\n### PoC\nConfigure ESPHome as follows:\n\n```yaml\nesp32:\n  board: ...\n  framework:\n    type: esp-idf\nweb_server:\n  auth:\n    username: user\n    password: somereallylongpass\n```\n\nIn a browser, you can correctly log in by supplying username `user` and password `somereallylongpass`... but you can _also_ incorrectly log in by supplying _substrings_ of the password whose base64-encoded digest matches a _prefix_ of the correct digest. (For example, I was able to log into an ESPHome device so configured by supplying password `some`... or even just `s`.)\n\nYou can also use a tool like `curl` to manually set an `Authorization` request header that _always_ passes the check without any knowledge of the username:\n\n```\n$ curl -D- http://example.local/\nHTTP/1.1 401 Unauthorized\n...\n\n$ curl -D- -H \u0027Authorization: Basic \u0027 http://example.local/\nHTTP/1.1 200 OK\n...\n```\n\n### Impact\nThis vulnerability effectively nullifies basic auth support for the ESP-IDF `web_server`, allowing auth bypass from another device on the local network with no knowledge of the correct username or password required.\n\n### Remediation\nThis vulnerability is fixed in 2025.8.1 and later.\n\nFor older versions, disabling the `web_server` component on ESP-IDF devices may be prudent, particularly if OTA updates through `web_server` are enabled.",
  "id": "GHSA-mxh2-ccgj-8635",
  "modified": "2025-09-02T16:46:58Z",
  "published": "2025-09-02T16:46:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57808"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbe5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/esphome/esphome"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.