Home Assistant Core Directory Traversal Vulnerability in Downloader Integration Allows Remote Code Execution

A directory traversal vulnerability has been identified in the Downloader integration of Home Assistant Core, affecting versions prior to 2025.8.0. The vulnerability arises because the integration does not properly validate file paths during concatenation, allowing for path traversal attacks. An attacker could exploit this by tricking an administrator user into using a malicious path, potentially leading to the creation or overwriting of arbitrary files on the system. This could be exploited to execute remote code, especially by overwriting files that are executed by the Home Assistant service.

Impact

Exploitation of this vulnerability could allow an attacker to execute arbitrary code on the server running Home Assistant, potentially leading to control over connected smart home devices or access to sensitive data stored within Home Assistant.

Reproduction

To reproduce this vulnerability, upload a file containing malicious Python code to a server accessible from the Home Assistant instance. Then, use the Downloader integration to download this file into a directory where Home Assistant will execute it, such as the 'homeassistant' directory. After overwriting a file with the malicious code, restart Home Assistant to execute the injected code, which could, for example, create a directory in the '/tmp' folder, indicating successful execution.

Remediation

Users can update to Home Assistant Core version 2025.8.0 or later, where this vulnerability has been fixed.