Homepage
About Snyk

esphome@2024.2.0 vulnerabilities

Make creating custom firmwares for ESP32/ESP8266 super easy.

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the esphome package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Cross-Site Request Forgery (CSRF)

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) due to insufficient protection for API endpoints in the dashboard component. An attacker can perform operations on configuration files (create, edit, delete) on behalf of a logged user by directing them to visit a maliciously crafted web page. This effectively bypasses authentication for API calls. The vulnerability can be further exploited in conjunction with another issue to achieve complete account takeover.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade esphome to version 2024.3.0 or higher.

[2023.12.9,2024.3.0)
  • M
Cross-site Scripting (XSS)

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the edit configuration file API in the dashboard component. An attacker can inject arbitrary web script and exfiltrate session cookies by sending a specially crafted POST request to the /edit endpoint with a malicious JavaScript payload in the configuration parameter.

Note: Cookies are not correctly secured, allowing the exfiltration of session cookie values.

How to fix Cross-site Scripting (XSS)?

Upgrade esphome to version 2024.2.2 or higher.

[2023.12.9,2024.2.2)
  • H
Path Traversal

esphome is a Make creating custom firmwares for ESP32/ESP8266 super easy.

Affected versions of this package are vulnerable to Path Traversal due to a security misconfiguration in the edit configuration file API in the dashboard component. An attacker can read and write arbitrary files under the configuration directory, rendering remote code execution possible by exploiting authenticated access to the API.

Notes:

  1. The issue gives read and write access to files under the configuration directory and allows malicious users to write arbitrary code in python scripts executed during the compilation and flashing of firmwares for ESP boards.

  2. This issue could allow an unauthenticated remote user to gain remote code execution on the machine hosting the dashboard.

  3. It also allows accessing sensitive information such as esphome.json and board firmware source code allowing a user to modify the board firmware, and leaking secrets such as: WiFi network credentials, fallback hotspot WiFi credentials, OTA component authentication password and API encryption key.

How to fix Path Traversal?

Upgrade esphome to version 2024.2.1 or higher.

[,2024.2.1)
Go back to all versions of this package