CVE-2025-57808: ESPHome Web Server Authentication Bypass Exposes Smart Devices

The ESPHome project, a popular open-source firmware framework for ESP32- and ESP8266-based smart home devices, has disclosed a critical vulnerability that undermines basic authentication in its web server component. Tracked as CVE-2025-57808 and rated CVSS 8.1 (High), the flaw allows attackers to bypass authentication entirely, potentially gaining control of devices, including access to Over-The-Air (OTA) firmware updates.

ESPHome explains: “ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header” is the root cause of the issue.

The vulnerability lies in the AsyncWebServerRequest::authenticate function, which improperly validates base64-encoded Authorization headers. Specifically, the check only compares a substring of the supplied value against the stored credential. As the advisory details:

“This means a client-provided value like dXNlcjpz (user:s) will pass the check when the correct value is much longer… Furthermore, the check will also pass when the supplied value is the empty string.”

In practice, this allows anyone on the same network to access the ESPHome web server without providing valid credentials.

The advisory demonstrates just how easy this bypass is. For example, configuring ESPHome with the following:

esp32:
  board: ...
  framework:
    type: esp-idf
web_server:
  auth:
    username: user
    password: somereallylongpass

should normally require the full password. Instead, as ESPHome notes, “you can incorrectly log in by supplying substrings of the password… or even just ‘s’.” Worse, attackers can “manually set an Authorization request header that always passes the check without any knowledge of the username.”

A simple curl command illustrates the exploit:

$ curl -D- http://example.local/
HTTP/1.1 401 Unauthorized
...

$ curl -D- -H 'Authorization: Basic ' http://example.local/
HTTP/1.1 200 OK
...

The implications are severe:

• Bypass of all authentication – Any device running ESPHome’s web server on ESP-IDF is effectively unprotected.
• OTA exploitation – If OTA updates are enabled, attackers could push malicious firmware.
• Local network risk – Attackers need only be on the same LAN; no prior knowledge of credentials is required.

As the advisory stresses, “This vulnerability effectively nullifies basic auth support for the ESP-IDF web_server, allowing auth bypass from another device on the local network with no knowledge of the correct username or password required.”

The affected and patched versions

• Affected: ESPHome 2025.8.0
• Patched: ESPHome 2025.8.1

Until patched, users are strongly urged to disable the web server component on ESP-IDF devices, particularly where OTA is active.

Related Posts:

• Hacking the Cloud: Undetectable Crypto Miner on Azure
• Accidental Malvertising Strikes via Google Dynamic Search Ads
• Opera Unveils Neon: A Revolutionary AI-Powered Browser Experience!

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy