CVE-2024-27081: ESPHome vulnerable to remote code execution via arbitrary file write

March 1, 2024 (updated February 7, 2025)

Security misconfiguration in edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation) allows authenticated remote attackers to read and write arbitrary files under the configuration directory rendering remote code execution possible.

References

github.com/advisories/GHSA-8p25-3q46-8q2p
github.com/esphome/esphome
github.com/esphome/esphome/commit/d814ed1d4adc71fde47c4df41215bee449884513
github.com/esphome/esphome/security/advisories/GHSA-8p25-3q46-8q2p
nvd.nist.gov/vuln/detail/CVE-2024-27081

Detect and mitigate CVE-2024-27081 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →