logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-25305 homeassistant

Package

Manager: pip
Name: homeassistant
Vulnerable Version: >=0 <2024.1.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00046 pctl0.13539

Details

Home Assistant does not correctly validate SSL for outgoing requests in core and used libs ## Summary Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. ## Details In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. Example: https://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84 When you scan the libraries used by the integrations in Home Assistant, you will find more issues like this. The general handling in Home Assistant looks good, as `homeassistant.helpers.aoihttp_client._async_get_connector` handles it correctly. ## PoC 1. Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser. 2. Add the integration adguard with the setting `host=expired.badssl.com`, `port=443`, `use-ssl=true`, `verify-ssl=true`. 3. Check the logs - you get a HTTP 403 response. Expected behavior: 1. The integration log shows an `ssl.SSLCertVerificationError`. The following code shows the problem with `ssl=True`. No exception is raised when `ssl=True` (Python 3.11.6). ``` import asyncio from ssl import SSLCertVerificationError import aiohttp BAD_URL = "https://expired.badssl.com/" async def run_request(verify_ssl, result_placeholder: str): async with aiohttp.ClientSession() as session: exception_fired: bool = False try: await session.request("OPTIONS", BAD_URL, ssl=verify_ssl) except SSLCertVerificationError: exception_fired = True except Exception as error: print(error) else: exception_fired = False print(result_placeholder.format(exception_result=exception_fired)) # Case 1: ssl=False --> expected result: No exception asyncio.run(run_request(False, "Test case 1: expected result: False - result: {exception_result}")) # Case 2: ssl=None --> expected result: Exception asyncio.run(run_request(None, "Test case 2: expected result: True - result: {exception_result}")) # Case 3: ssl=True --> expected result: No Exception asyncio.run(run_request(True, "Test case 3: expected result: False - result: {exception_result}")) ```

Metadata

Created: 2025-02-18T19:25:24Z
Modified: 2025-02-18T22:51:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-m3pm-rpgg-5wj6/GHSA-m3pm-rpgg-5wj6.json
CWE IDs: ["CWE-347", "CWE-940"]
Alternative ID: GHSA-m3pm-rpgg-5wj6
Finding: F332
Auto approve: 1