CVE-2024-29019 in esphome
Summary
by MITRE • 04/11/2024
ESPHome is a system to control microcontrollers remotely through Home Automation systems. API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete). It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform. This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page. In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5/ CVE-2024-27287 to obtain a complete takeover of the user account. Version 2024.3.0 contains a patch for this issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2025
The vulnerability identified as CVE-2024-29019 affects ESPHome, a popular open-source system designed to enable remote control of microcontrollers through home automation frameworks. This system operates by providing a dashboard component that allows users to manage their IoT devices through web-based interfaces. The specific flaw resides within the API endpoints of the dashboard component in version 2023.12.9, which has been identified as susceptible to Cross-Site Request Forgery attacks according to CWE-352. The vulnerability allows remote attackers to manipulate authenticated sessions and perform unauthorized operations on configuration files through the dashboard interface.
The technical implementation of this CSRF vulnerability stems from the absence of proper anti-CSRF protection mechanisms within the ESPHome dashboard's API endpoints. When a user is logged into the ESPHome dashboard, their authentication session remains active and can be exploited by malicious actors who craft specially designed web pages. These weaponized pages contain embedded requests that automatically execute against the ESPHome dashboard when the victim visits them, effectively bypassing the authentication layer that should normally protect configuration file operations. The vulnerability specifically targets operations that create, edit, or delete configuration files, making it particularly dangerous for IoT device management systems where configuration changes can significantly impact device behavior and security posture.
The operational impact of this vulnerability extends beyond simple unauthorized file manipulation. An attacker can leverage this CSRF flaw to perform complete account takeovers, especially when chained with other vulnerabilities such as GHSA-9p43-hj5j-96h5 or CVE-2024-27287. This chaining capability demonstrates how CSRF vulnerabilities can serve as initial access vectors that enable more sophisticated attacks, potentially leading to full compromise of the user's IoT ecosystem. The requirement for victim interaction through visiting a malicious webpage means that social engineering becomes a critical factor in exploitation, making this vulnerability particularly challenging to defend against in environments where users may encounter untrusted content.
Security mitigations for CVE-2024-29019 involve upgrading to ESPHome version 2024.3.0, which contains the necessary patches to address the CSRF vulnerability. Organizations should also implement additional defensive measures such as network segmentation to limit access to ESPHome dashboard components, implementing proper input validation and output encoding for all web interfaces, and establishing robust monitoring for unusual configuration file modifications. The vulnerability's classification under CWE-352 highlights the importance of implementing anti-CSRF tokens in all state-changing operations, particularly those involving sensitive configuration management. From an ATT&CK framework perspective, this vulnerability maps to techniques involving credential access and privilege escalation, demonstrating how seemingly minor authentication bypasses can lead to significant operational security compromises in IoT environments.