CVE-2025-57808: ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
On the ESP-IDF platform, ESPHome’s web_server
authentication check can pass incorrectly when the client-supplied base64-encoded Authorization
value is empty or is a substring of the correct value (e.g., correct username with partial password). This allows access to web_server
functionality (including OTA, if enabled) without knowing any information about the correct username or password.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-57808 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →