CVE-2025-62172
CVE-2025-62172 I will discuss my first accredited CVE! I will go through: Personal thoughts, how I look for these types of issues and finally the technical details
Well, it's been a while...
This time, I am here to talk about my first accredited CVE!
Table of contents:
Personal Thoughts
First, let's begin with a meme:
I have been doing bug bounty and security research for a while now, reporting issues and doing responsible disclosures to a variety of companies. It feels really good to finally get accredited with a CVE to show for it.
A lot of the time it feels like wasted effort — you send reports and get no reply. Sometimes you get a quick response or a small reward, which feels good and fuels further work. This time, the coveted CVE was the reward :)
Another long-standing goal of mine was to contribute to open-source software that I use. I'm very happy (and lucky) that I could do this while working on a hobby I enjoy. It's a huge bonus to help secure users worldwide.
I would like to thank the Home Assistant team for doing a great job, both in general and when responding to this report. Thank you!
How do I look for these types of issues?
Now, for what most of you really came for: the tips & tricks.
When going about my daily life, I try to do my best to contribute to securing society and the services I use (and the other users of those services).
One simple technique I use is to plant harmless, easily-observable payloads in places where user-controlled content is rendered. They act like little tripwires that reveal when template engines, renderers, or sanitizers behave unexpectedly. An example is the payload in the report for the CVE:
<s> SomeText {{7*7}} ${6*6} #{5*5} @{4*4}
Possible observable results:
- If a templating engine or server side rendering evaluates expressions inside certain delimiters, you might see the expressions replaced by their calculated result.
Example:
<s> SomeText {{7*7}} ${6*6} #{5*5} 16
(Here @{4*4} became 16.)
- or HTML-tags are not properly escaped and the whole text gets strikethrough (as seen in the report) and example below:
(Here <s> became interpreted as a strikethrough tag, indicating HTML injection)
Then, whenever I use the services, get emails or interact with it in my daily life, I just observe if any of these states change. It is like second nature to me at this point. This is also a technique I use in bug bounty and at my daily job. If you have permission to test, like in bug bounty and at work, you can also use blind execution payloads (check out ezXSS for XSS-based out of band (blind) testing and interactsh for a general-purpose one) in the same way.
Technical details
- Here is the advisory:
home-assistant2. It seems like GitHub & NVD has set the CVSS to 5.3, which I believe to be wrong. This is my fault, as I did not initially add a CVSS-score.
As such, here is my suggested CVSS rating for this issue:
CVSS 3.1 Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H
A short description of why is: Home Assistant, at the time of the report, does not have any security mechanisms in place other than user management. That means that any valid user in the system is equivalent to an admin user. Quote from https://www.home-assistant.io/security/#non-qualifying-vulnerabilities:
Non qualifying vulnerabilities:
Privilege escalation attacks for logged in users. Home Assistant assumes every user is trusted and does not enforce user privileges. It assumes every logged in user has the same access as an owner account (more information).
In addition, user access to Home Assistant instances results in Remote Code Execution by design. An simple example:
- Be user
- Install SSH-plugin
- Shell access to server
There are many other ways to achieve this, and it is just due to how the software is supposed to function. The result is that anyone with access to the server, in effect can execute code on the underlying host.
More information about Home Assistant and its approach to security can be found here!
Thank you for reading!