CVE-2025-25305

Date: February 18, 2025

Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, "aiohttp-session"/"request" had the parameter "verify_ssl" to control SSL certificate verification. This was a boolean value. In "aiohttp" 3.0, this parameter was deprecated in favor of the "ssl" parameter. Only when "ssl" is set to "None" or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the "verify_ssl" parameter value was just moved to the new "ssl" parameter. This resulted in these integrations and 3rd party libraries using "request.ssl = True", which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.