Man-in-the-Middle Vulnerability in Home Assistant Core Software
CVE-2025-25305

7HIGH

Key Information:

Vendor: Home-assistant
Status: Core
Vendor: CVE Published:; 18 February 2025

🔔 Create Home-assistant Vulnerability Alert

What is CVE-2025-25305?

Home Assistant Core, an open-source home automation platform, is susceptible to man-in-the-middle attacks due to inadequate SSL certificate verification in its codebase and third-party libraries. This vulnerability arises from a migration in the handling of SSL verification parameters. Older parameters allowed control over SSL verification; however, subsequent updates led to scenarios where SSL verification was inadvertently disabled. This misconfiguration poses a substantial risk, as attackers could exploit this weakness to intercept communications. Users are urged to upgrade to version 2024.1.6 or later to mitigate the risk associated with this issue, as no workarounds are available.

Affected Version(s)

core < 2024.1.6

References

https://github.com/home-assistant/core/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2025
Vulnerability Reserved
Feb 6, 2025

JSON