CVE-2023-41896
CVE-2023-41896 is a high-severity vulnerability in Home-assistant with a CVSS 3.x base score of 7.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-345.
Key facts
- Severity: High (CVSS 3.x base score 7.1)
- EPSS exploit prediction: 0% (19th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-345
- Affected product: Home-assistant
- Published:
- Last modified:
Description
Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Frequently asked questions
- What is CVE-2023-41896?
- Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected `auth_callback=1`, which is leveraged by the WebSocket authentication logic in tandem with the `state` parameter. The state parameter contains the `hassUrl`, which is subsequently utilized to establish a WebSocket connection. This behavior permits an attacker to create a malicious Home Assistant link with a modified state parameter that forces the frontend to connect to an alternative WebSocket backend. Henceforth, the attacker can spoof any WebSocket responses and trigger cross site scripting (XSS). Since the XSS is executed on the actual Home Assistant frontend domain, it can connect to the real Home Assistant backend, which essentially represents a comprehensive takeover scenario. Permitting the site to be iframed by other origins, as discussed in GHSA-935v-rmg9-44mw, renders this exploit substantially covert since a malicious website can obfuscate the compromise strategy in the background. However, even without this, the attacker can still send the `auth_callback` link directly to the victim user. To mitigate this issue, Cure53 advises modifying the WebSocket code’s authentication flow. An optimal implementation in this regard would not trust the `hassUrl` passed in by a GET parameter. Cure53 must stipulate the significant time required of the Cure53 consultants to identify an XSS vector, despite holding full control over the WebSocket responses. In many areas, data from the WebSocket was properly sanitized, which hinders post-exploitation. The audit team eventually detected the `js_url` for custom panels, though generally, the frontend exhibited reasonable security hardening. This issue has been addressed in Home Assistant Core version 2023.8.0 and in the npm package home-assistant-js-websocket in version 8.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- How severe is CVE-2023-41896?
- CVE-2023-41896 has a CVSS 3.x base score of 7.1, rated high severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-41896 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (19th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-41896?
- CVE-2023-41896 primarily affects Home-assistant. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-41896?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-41896 published?
- CVE-2023-41896 was published on 2023-10-19 and last updated on 2026-06-17.
References
- https://github.com/home-assistant/core/security/advisories/GHSA-935v-rmg9-44mw
- https://github.com/home-assistant/core/security/advisories/GHSA-cr83-q7r2-7f5q
Affected products (2)
- cpe:2.3:a:home-assistant:home-assistant:*:*:*:*:*:*:*:*
- cpe:2.3:a:home-assistant:home-assistant-js-websocket:*:*:*:*:*:node.js:*:*
More vulnerabilities in Home-assistant
- CVE-2023-27482 — Critical (CVSS 10.0): homeassistant is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for…
- CVE-2023-41897 — High (CVSS 8.8): Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers,…
- CVE-2023-41895 — High (CVSS 8.8): Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home…
- CVE-2026-54317 — High (CVSS 7.6): Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0,…
- CVE-2020-36517 — High (CVSS 7.5): An information leak in Nabu Casa Home Assistant Operating System and Home Assistant Supervised 2022.03 allows a DNS…
- CVE-2018-21019 — High (CVSS 7.5): Home Assistant before 0.67.0 was vulnerable to an information disclosure that allowed an unauthenticated attacker to…
All CVEs affecting Home-assistant →
Other CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities
- CVE-2026-35051 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an…
- CVE-2014-8165 — Critical (CVSS 10.0): scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote…
- CVE-2026-50195 — Critical (CVSS 9.9): containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the…
- CVE-2022-36130 — Critical (CVSS 9.9): HashiCorp Boundary up to 0.10.1 did not properly perform data integrity checks to ensure the resources were associated…
- CVE-2026-50214 — Critical (CVSS 9.8): The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing…
- CVE-2025-15385 — Critical (CVSS 9.8): Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows…
Browse all CWE-345 (Insufficient Verification of Data Authenticity) vulnerabilities →