Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Token interception requires an attacker on the victim's insecure network (AV:A) and the non-default no-other-URL fallback condition (AC:H); impact is confidentiality-only token disclosure (C:H, I/A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to be used, it fallbacks to the internal URL as well, which can expose user's token when connected to a not secure network. This vulnerability is fixed in 2025.5.0.
AnalysisAI
Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the configured SSID allowlist meant to gate internal-network access. Because the app falls back to the internal URL whenever no other URL is available, it can transmit the user's authentication token to the internal endpoint while the device is connected to an untrusted or insecure Wi-Fi network, enabling interception. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the iOS companion app (pre-2025.5.0) to be unable to resolve any other configured URL, triggering its fallback to the internal URL despite the SSID not matching the internal-network allowlist; the victim device must be connected to an insecure/untrusted network on which an attacker is positioned to eavesdrop the token in transit. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N, 7.5) treats this as a remote, no-privilege confidentiality breach, but the described mechanism - token exposure when the victim's device is on an insecure network and the app falls back to the internal URL - implies an adjacent, man-in-the-middle/eavesdropping prerequisite rather than direct unauthenticated network exploitation, so the AV:N rating likely overstates reach; an AV:A assessment is more defensible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Home Assistant user opens the iOS companion app while connected to an attacker-controlled or open public Wi-Fi network; with no usable external URL resolved, the app ignores the SSID allowlist and contacts the internal URL, transmitting the authentication token. An attacker positioned on that same network intercepts the cleartext token and replays it to gain authenticated access to the victim's Home Assistant instance. … |
| Remediation | Vendor-released patch: 2025.5.0 - upgrade the Home Assistant iOS companion app to 2025.5.0 or later, per advisory GHSA-cm5v-547m-qh5h (https://github.com/home-assistant/core/security/advisories/GHSA-cm5v-547m-qh5h). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify iOS Home Assistant users in your environment and assess their connection patterns to untrusted networks; note that no public exploit has been identified at this time. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via t
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via
An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium se
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely e
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely e
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to acc
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would norm
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2,
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40119