CVE-2025-62172 (GCVE-0-2025-62172)
Vulnerability from cvelistv5
Published
2025-10-14 15:14
Modified
2025-10-21 20:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users' sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| home-assistant | core |
Version: >= 2025.1.0, < 2025.10.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62172",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T16:07:00.569115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T16:07:08.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "home-assistant",
"versions": [
{
"status": "affected",
"version": "\u003e= 2025.1.0, \u003c 2025.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity\u0027s name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users\u0027 sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T20:39:28.185Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"
}
],
"source": {
"advisory": "GHSA-mq77-rv97-285m",
"discovery": "UNKNOWN"
},
"title": "Home Assistant vulnerable to Stored XSS in Energy dashboard from Energy Entity Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62172",
"datePublished": "2025-10-14T15:14:09.946Z",
"dateReserved": "2025-10-07T16:12:03.426Z",
"dateUpdated": "2025-10-21T20:39:28.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-62172\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-14T16:15:41.513\",\"lastModified\":\"2025-10-21T21:15:40.577\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity\u0027s name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users\u0027 sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"references\":[{\"url\":\"https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-62172\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-14T16:07:00.569115Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-14T16:07:05.080Z\"}}], \"cna\": {\"title\": \"Home Assistant vulnerable to Stored XSS in Energy dashboard from Energy Entity Name\", \"source\": {\"advisory\": \"GHSA-mq77-rv97-285m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"home-assistant\", \"product\": \"core\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2025.1.0, \u003c 2025.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m\", \"name\": \"https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity\u0027s name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users\u0027 sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-21T20:39:28.185Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-62172\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T20:39:28.185Z\", \"dateReserved\": \"2025-10-07T16:12:03.426Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-14T15:14:09.946Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
fkie_cve-2025-62172
Vulnerability from fkie_nvd
Published
2025-10-14 16:15
Modified
2025-10-21 21:15
Severity ?
Summary
Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity's name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users' sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Home Assistant is open source home automation software that puts local control and privacy first. In versions 2025.1.0 through 2025.10.1, the energy dashboard is vulnerable to stored cross-site scripting. An authenticated user can inject malicious JavaScript code into an energy entity\u0027s name field, which is then executed when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability exists because entity names containing HTML are not properly sanitized before being rendered in graph tooltips. This could allow an attacker with authentication to execute arbitrary JavaScript in the context of other users\u0027 sessions. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action when the default name is used. This issue has been patched in version 2025.10.2. No known workarounds exist."
}
],
"id": "CVE-2025-62172",
"lastModified": "2025-10-21T21:15:40.577",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-10-14T16:15:41.513",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
ghsa-mq77-rv97-285m
Vulnerability from github
Published
2025-10-14 19:36
Modified
2025-10-21 20:39
Severity ?
VLAI Severity ?
Summary
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
Details
Summary
An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point (The blue bar in the picture below)
An alternative, and more impactful scenario, is that the entity gets a malicious name from the provider of the Entity (in this case the energy provider: Tibber), and gets exploited that way, through the default name.
Details
The incriminating entity in my scenario is from the Tibber integration, as shown in the screenshot below:
The exploit should be possible regardless of the Energy integration, as the user can name the entity themselves and as such pick a malicious name. The default name given by the Energy integration can also be taken directly from their system, and be vulnerable that way. The execution happens within the energy dashboard, when hovering over a data point:
Update found after issue was reported:
I found that the issue presents itself for any entity with a html-entity in the name, which is included and rendered in the graph view. Following is an example for a speaker:
Source code
The relevant source code is added in a comment, but copy pasted here as well:
The offending line of code rendering the payload appears to be: https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-devices-graph-card.ts#L110 Where the parameter marked with bold and italic is the vulnerable value: return `${title}${params.marker} ${params.seriesName}: ${value}`;
From the trace below, we can see that the only change done to the friendly_name of an entity is replacing underscores with spaces (computeObjectId(entityId).replace(//g, " ")_).
We can also determine that any power entity will have it's name used if there is one, and fall back to the friendly name if it cannot find one:
data.push({
id: `${compare ? "compare-" : ""}${statId}-${type}`,
type: "bar",
cursor: "default",
name:
type in labels
? labels[type]
: getStatisticLabel(
this.hass,
statId,
statisticsMetaData[statId]
),
(https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478)
The value comes from:
-
https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478 (This is the relevant call: getStatisticLabel(this.hass, statId, statisticsMetaData[statId];)
-
getStatisticLabel is defined here: https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/data/recorder.ts#L329-L339 (This is the relevant call: computeStateName(entity);)
-
computeStateName is defined here: https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/common/entity/compute_state_name.ts
PoC
- Set up a new energy provider with a price sensor.
-
Give the price sensor a malicious name
-
Configure the energy dashboard to get data from the price sensor
- Look at the data and hover the data point for code to execute. (You may have to trigger data ingestion or add a false data point to be able to hover a data point when testing, you need at least one datapoint to trigger the vulnerability)
Impact
It is possible to exploit this over the internet, by using an energy provider, like Tibber, with a malicious name, and relying on the default naming in Home Assistant being used. This is actually how I found this bug:
This means that a malicious employee or someone with access to your electricity provider can attack your Home Assistant instance from your electricity provider. I am unsure if you consider this a sanitization and escaping issue in the respective integrations or not, but I believe a central fix in the form of fixing the Energy Dashboard is more appropriate, rather than to rely on every integration properly handling user input.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2025.10.1"
},
"package": {
"ecosystem": "PyPI",
"name": "homeassistant"
},
"ranges": [
{
"events": [
{
"introduced": "2025.1.0"
},
{
"fixed": "2025.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62172"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-14T19:36:53Z",
"nvd_published_at": "2025-10-14T16:15:41Z",
"severity": "HIGH"
},
"details": "### Summary\nAn authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point (The blue bar in the picture below)\n\u003cimg width=\"955\" height=\"568\" alt=\"1_cens\" src=\"https://github.com/user-attachments/assets/ed855216-c306-4b50-affc-cda100e72b74\" /\u003e\n\n\nAn alternative, and more impactful scenario, is that the entity gets a malicious name from the provider of the Entity (in this case the energy provider: Tibber), and gets exploited that way, through the default name.\n\n\n### Details\nThe incriminating entity in my scenario is from the Tibber integration, as shown in the screenshot below:\n\u003cimg width=\"822\" height=\"309\" alt=\"2_cens\" src=\"https://github.com/user-attachments/assets/d0d5a7aa-8d0c-4dcb-825b-e4cb8ea8885b\" /\u003e\n\n\nThe exploit should be possible regardless of the Energy integration, as the user can name the entity themselves and as such pick a malicious name. The default name given by the Energy integration can also be taken directly from their system, and be vulnerable that way. The execution happens within the energy dashboard, when hovering over a data point:\n\n\u003cimg width=\"1547\" height=\"575\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6e5880c2-cde4-4a96-b573-73756c69d0d8\" /\u003e\n\n\n**Update found after issue was reported:**\nI found that the issue presents itself for any entity with a html-entity in the name, which is included and rendered in the graph view. Following is an example for a speaker:\n\u003cimg width=\"423\" height=\"96\" alt=\"11_cens\" src=\"https://github.com/user-attachments/assets/3b4d43dd-d9e0-466b-85c0-277af3195acf\" /\u003e\n\n##### Source code\nThe relevant source code is added in a comment, but copy pasted here as well:\n\nThe offending line of code rendering the payload appears to be:\nhttps://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-devices-graph-card.ts#L110\nWhere the parameter marked with bold and italic is the vulnerable value:\nreturn \\`${title}${params.marker} **_${params.seriesName}_**: ${value}\\`;\n\n\nFrom the trace below, we can see that the only change done to the friendly_name of an entity is replacing underscores with spaces (_computeObjectId(entityId).replace(/_/g, \" \")_).\nWe can also determine that any power entity will have it\u0027s name used if there is one, and fall back to the friendly name if it cannot find one:\n```\ndata.push({\n id: `${compare ? \"compare-\" : \"\"}${statId}-${type}`,\n type: \"bar\",\n cursor: \"default\",\n name:\n type in labels\n ? labels[type]\n : getStatisticLabel(\n this.hass,\n statId,\n statisticsMetaData[statId]\n ),\n```\n(https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478)\n\n\nThe value comes from:\n\n1. https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478 \n(This is the relevant call: _getStatisticLabel(this.hass, statId, statisticsMetaData[statId];_)\n\n2. getStatisticLabel is defined here: https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/data/recorder.ts#L329-L339 (This is the relevant call: _computeStateName(entity);_)\n\n3. computeStateName is defined here: https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/common/entity/compute_state_name.ts\n\n\n-----\n\n### PoC\n1. Set up a new energy provider with a price sensor.\n2. Give the price sensor a malicious name \n\u003cimg width=\"814\" height=\"100\" alt=\"4_cens\" src=\"https://github.com/user-attachments/assets/64bf7a00-47a2-46db-ae0f-b93e328837d2\" /\u003e\n\u003cimg width=\"459\" height=\"325\" alt=\"5_cens\" src=\"https://github.com/user-attachments/assets/e43e1c4f-bb4e-45b4-b46a-a6fc32b689ba\" /\u003e\n\n\n3. Configure the energy dashboard to get data from the price sensor\n\u003cimg width=\"582\" height=\"394\" alt=\"image\" src=\"https://github.com/user-attachments/assets/74c99ab8-0842-4c1b-b2e9-994827d89609\" /\u003e\n\n\u003cimg width=\"1678\" height=\"241\" alt=\"7_cens\" src=\"https://github.com/user-attachments/assets/24f4c83a-3c0a-4dea-9e1c-9c6b070fb28f\" /\u003e\n\n\n\u003cimg width=\"329\" height=\"497\" alt=\"8_cens\" src=\"https://github.com/user-attachments/assets/ccb7f90a-4745-4fb4-9efa-f30b3324cb3a\" /\u003e\n\n\n5. Look at the data and hover the data point for code to execute. (You may have to trigger data ingestion or add a false data point to be able to hover a data point when testing, you need at least one datapoint to trigger the vulnerability)\n\u003cimg width=\"1547\" height=\"575\" alt=\"9_cens\" src=\"https://github.com/user-attachments/assets/087cdf78-a503-427d-8e0c-bb5db24de5c8\" /\u003e\n\n\n### Impact\nIt is possible to exploit this over the internet, by using an energy provider, like Tibber, with a malicious name, and relying on the default naming in Home Assistant being used. This is actually how I found this bug:\n\u003cimg width=\"453\" height=\"152\" alt=\"10_cens\" src=\"https://github.com/user-attachments/assets/45451efb-2688-4589-a988-88d1fc0b4e25\" /\u003e\n\nThis means that a malicious employee or someone with access to your electricity provider can attack your Home Assistant instance from your electricity provider. I am unsure if you consider this a sanitization and escaping issue in the respective integrations or not, but I believe a central fix in the form of fixing the Energy Dashboard is more appropriate, rather than to rely on every integration properly handling user input.",
"id": "GHSA-mq77-rv97-285m",
"modified": "2025-10-21T20:39:14Z",
"published": "2025-10-14T19:36:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/home-assistant/core/security/advisories/GHSA-mq77-rv97-285m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62172"
},
{
"type": "PACKAGE",
"url": "https://github.com/home-assistant/core"
},
{
"type": "WEB",
"url": "https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/common/entity/compute_state_name.ts"
},
{
"type": "WEB",
"url": "https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/data/recorder.ts#L329-L339"
},
{
"type": "WEB",
"url": "https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-devices-graph-card.ts#L110"
},
{
"type": "WEB",
"url": "https://github.com/home-assistant/frontend/blob/c13a80ce5e7ae39f0262444e2b6295a074a96732/src/panels/lovelace/cards/energy/hui-energy-usage-graph-card.ts#L467-L478"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
"type": "CVSS_V4"
}
],
"summary": "Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…