cvedb.io
CVE-2025-57808
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2025-09-02T01:15:29.947 · Last modified 2026-06-17T09:43:28.493

Summary

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

Affected products

esphome — esphome_firmware

Does this affect you?

Add your gear to cvedb and we'll alert you only when esphome ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.