Is homeassistant affected by CVE-2025-25305?

PyPI homeassistant is affected in <2024.1.6.

Is CVE-2025-25305 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

high

CVE-2025-25305

Q: Is CVE-2025-25305 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

PyPI · homeassistant

Summary

Home Assistant does not correctly validate SSL for outgoing requests in core and used libs

Severity: high
EPSS: 0.2% (p13)
Also known as: GHSA-m3pm-rpgg-5wj6
Published: 2025-02-18

References

https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6
https://nvd.nist.gov/vuln/detail/CVE-2025-25305
https://github.com/home-assistant/core/commit/8c6547f1b64f4a3d9f10090b97383353c9367892

Related advisories

CVE-2025-62172 — high · PyPI/homeassistant
CVE-2025-65713 — medium · PyPI/homeassistant

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.