Home Assistant Core Directory Traversal Vulnerability

Home Assistant is an open-source home automation platform that allows users to control and monitor their smart devices remotely. The Downloader integration in Home Assistant Core is vulnerable to directory traversal attacks due to inadequate file path validation during concatenation. This vulnerability can lead to arbitrary code execution, potentially allowing attackers to access sensitive data or take control of the system.

You're affected if you use Home Assistant Core. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

To fix this vulnerability, upgrade to Home Assistant Core version 2025.8.0 or later. You can download the latest version from the official GitHub repository: https://github.com/home-assistant/core/releases

Immediate mitigations:

• Restrict network access to your Home Assistant instance (firewall it from the public internet)
• Audit admin account activity for suspicious access patterns
• Monitor for unauthorized token creation

• gist.github.com
• github.com