关键信息 漏洞名称 Path Traversal in Home Assistant Core Downloader Leads to Remote Code Execution 影响范围 软件包: Home Assistant Core 受影响版本: < 2025.8.0 修复版本: 2025.8.0 漏洞描述 The Downloader integration calls the function to download files. The path validation function is named , which uses a regular expression ( ) to validate the path. However, the function does not check whether the path starts with , leaving a path traversal vulnerability. 影响描述 An attacker can trick the administrator user to call the service with a malicious path traversal. If successful, they can achieve remote code execution and gain control over the server running Home Assistant. PoC (概念验证) 1. Start Home Assistant via Docker. 2. Follow the instructions to enable the Downloader. 3. Start an HTTP service on a server that is accessible within the Home Assistant network. 4. Copy the code from the GitHub file and add malicious code at the beginning as the attacker's desired payload. Place the modified code in the directory where is running. 5. Log in to Home Assistant using an administrator account and use the "Download File" action to download the modified file. 6. Go to "Developer Tools", restart and re-execute the modified file. Confirm the successful execution of arbitrary remote commands. 发现者 XlabAI Team of Tencent Xuanwu Lab Atuin Automated Vulnerability Discovery Engine