ESPHome Vulnerability Allows Unauthorized Access to Smart Devices

A critical authentication bypass flaw in ESPHome’s ESP-IDF web server component allows unauthorized users on the same local network to access and control smart devices without any valid credentials.

Discovered and reported by security researcher jesserockz, the vulnerability (CVE-2025-57808) undermines Basic Authentication by accepting empty or partially correct Authorization headers.

Users of ESPHome version 2025.8.0 are urged to upgrade immediately to 2025.8.1 to mitigate the risk.

ESPHome, a popular open-source framework for building firmware for smart home devices, supports HTTP Basic Authentication through its web_server component.

On the ESP-IDF platform, this authentication mechanism fails to correctly validate client-supplied credentials when the Authorization header’s base64 value is empty or truncated.

By comparing only the initial bytes of the supplied string against the expected value, the server grants access if the provided fragment matches the prefix of the legitimate credential.

Even an empty ...