{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "= 2025.8.0" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "2adb99324227f5057a5ce2fbc4bbcbf3d6d242cd" } ], "repo": "https://github.com/esphome/esphome", "type": "GIT" } ] } ], "aliases": [ "GHSA-mxh2-ccgj-8635" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-303" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57808.json" }, "details": "ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.", "id": "CVE-2025-57808", "modified": "2026-04-01T23:09:02.401921121Z", "published": "2025-09-02T00:26:09.017Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/57xxx/CVE-2025-57808.json" }, { "type": "ADVISORY", "url": "https://github.com/esphome/esphome/security/advisories/GHSA-mxh2-ccgj-8635" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57808" }, { "type": "FIX", "url": "https://github.com/esphome/esphome/commit/2aceb56606ec8afec5f49c92e140c8050a6ccbe5" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "type": "CVSS_V3" } ], "summary": "ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header" }