CVE-2025-62172
Python vulnerability analysis and mitigation

Overview

Home Assistant, an open-source home automation software, was found to contain a stored cross-site scripting vulnerability (CVE-2025-62172) in versions 2025.1.0 through 2025.10.1. The vulnerability affects the energy dashboard functionality where entity names containing HTML are not properly sanitized before being rendered in graph tooltips (GitHub Advisory).

Technical details

The vulnerability exists in the energy dashboard's graph tooltip rendering mechanism. When displaying entity names in tooltips, the system fails to properly sanitize HTML content, allowing for script injection. The issue specifically occurs when hovering over data points in the energy dashboard graph tooltips. The vulnerability has been assigned a CVSS 4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The weakness is categorized under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) and CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitHub Advisory).

Impact

The vulnerability allows an authenticated attacker to inject malicious JavaScript code into an energy entity's name field, which is then executed in the context of other users' sessions when they hover over data points in the energy dashboard. Additionally, if an energy provider (such as Tibber) supplies a malicious default name for an entity, the vulnerability can be exploited without direct user action (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 2025.10.2. No known workarounds exist for affected versions. Users are advised to upgrade to the patched version to protect against this vulnerability (GitHub Advisory).

Additional resources


SourceThis report was generated using AI

Related Python vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-61920HIGH7.5
  • PythonPython
  • python-authlib
NoYesOct 10, 2025
GHSA-g7f3-828f-7h7mMEDIUM6.5
  • PythonPython
  • authlib
NoYesOct 10, 2025
CVE-2025-61912MEDIUM5.5
  • PythonPython
  • awx
NoYesOct 10, 2025
CVE-2025-61911MEDIUM5.5
  • PythonPython
  • python-ldap
NoYesOct 10, 2025
CVE-2025-62172MEDIUM5.3
  • PythonPython
  • homeassistant
NoYesOct 14, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management