Not often this happens, but if you are using the web_server with authentication and the esp-idf framework, please update your device(s) to at least ESPHome 2025.8.1
7 Likes
Thanks Tom!
Shouldn’t Nabu, as „owner“ (i know, i know…) not send out an email to at least their paying (ie known) customers indicating this possible exploit?
We should not have to roam forums or websites to be informed?
Nabu Casa is not the owner of ESPHome issue. It is an Open Home Foundation project. See:
Nabu Casa is only a supporter of the Open Home Foundation. See:
That’s why I wrote “I know, I know”.
Please let the open home foundation and NC not be like the typical company where responsibilities and liabilities are thrown from one business unit to the other.
They are better. Right?
So, back op topic: should there not be an active communication channel from Open Home Foundation to the world, and even more, from a company involved with the OHF to its customers?
The vulnerability has a small exposure surface (I suspect most people don’t even use security on their ESPHome device web pages) and has been patched already.
It was my choice to post it here, otherwise it would only have been an announcement on the ESPHome Discord.
More serious security vulnerabilities are more widely advertised.
Which is a good thing @tom_l thanks again.
And once again: always update your devices!
Thanks for the heads up. I have a lot of updating to do.
But I thought esphome uses digest auth?
And also I found this during research in the past.