ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header

ESPHome is a system to control microcontrollers remotely through Home Automation systems. In version 2025.8.0 in the ESP-IDF platform, ESPHome's web_server authentication check can pass incorrectly when the client-supplied base64-encoded Authorization value is empty or is a substring of the correct value. This allows access to web_server functionality (including OTA, if enabled) without knowing any information about the correct username or password. This issue has been patched in version 2025.8.1.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

认证算法的不正确实现

ESPHome 安全漏洞

ESPHome是ESPHome开源的一个配置、管理智能硬件的系统。用于控制Esp8266/Esp32硬件，实现家庭自动化控制。 ESPHome 2025.8.0版本存在安全漏洞，该漏洞源于web_server身份验证检查不当，可能导致未经授权访问。

N/A

N/A