ESPHome Web Server Authentication Bypass Vulnerability on ESP-IDF Platform

A vulnerability in ESPHome version 2025.8.0 on the ESP-IDF platform allows for improper authentication bypass in the web server component. The issue arises because the server's authentication check incorrectly validates base64-encoded Authorization headers that are either empty or only partially correct. This flaw enables access to web server functionalities, including over-the-air (OTA) updates, without knowledge of the correct username or password. The vulnerability has been patched in version 2025.8.1.

Impact

Exploitation of this vulnerability allows for unauthorized access to the web server functionality, effectively bypassing the basic authentication requirement. This could lead to unauthorized OTA updates if such updates are enabled on the device.

Reproduction

To reproduce this vulnerability, configure ESPHome on an ESP-IDF platform device with the web server component enabled and set up with basic authentication. After deploying this configuration, the vulnerability can be exploited by sending a request to the web server with an Authorization header that is either empty or a substring of the correct password, encoded in base64. This can be done using a tool like curl.

Remediation

Users can update to ESPHome version 2025.8.1 or later, where this vulnerability has been fixed. If an immediate update is not possible, consider disabling the web server component on ESP-IDF devices, especially if OTA updates via the web server are enabled.