Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Affecting bthome-ble package, versions [,3.15.1)

Q: How to fix?

Upgrade bthome-ble to version 3.15.1 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-BTHOMEBLE-14830841
published1 Jan 2026
disclosed1 Jan 2026
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Jan 2026

CWE-757 (opens in a new tab)

How to fix?

Upgrade bthome-ble to version 3.15.1 or higher.

Overview

bthome-ble is a BThome BLE support

Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') due to insufficient enforcement of encryption requirements in the _parse_bthome_v1 and _parse_bthome_v2 functions in src/bthome_ble/parser.py. An attacker can impersonate a device by sending plaintext BLE advertisements when a bindkey is configured.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Adjacent
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None