CVE-2025-25305

CVSS 3.1 Score 7 of 10 (high)

Details

Published Feb 18, 2025

CWE ID 940

Summary

CVE-2025-25305 affects Home Assistant Core, an open-source home automation system. The vulnerability stems from the lack of SSL certificate verification in certain versions due to misconfigured parameters in third-party libraries. Specifically, the `aiohttp-session`/`request` library used in Home Assistant had a boolean `verify_ssl` parameter that was inadvertently set to `True`, disabling SSL certificate verification when upgrading to `aiohttp` 3.0. With this vulnerability, man-in-the-middle attacks are possible. Home Assistant users are advised to upgrade to version 2024.1.6 to mitigate this risk, as no known workarounds exist.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/3HXW9j
https://www.cve.org/CVERecord?id=CVE-2025-25305
https://nvd.nist.gov/vuln/detail/CVE-2025-25305

Back to Vulnerability Database

CVE-2025-25305

CVSS 3.1 Score 7 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations