AIKIDO-2026-10312
homeassistant is vulnerable to Server-Side Request Forgery (SSRF)
72
High Risk
This Affects:
homeassistantTL;DR
Affected versions of this package are vulnerable to a server-side request forgery (SSRF) bypass due to insufficient validation of HTTP redirects in the internal HTTP client. When Home Assistant performs outbound HTTP requests, a malicious server could return a redirect pointing to localhost or other loopback addresses, causing the client to follow the redirect and access internal services that should not be reachable. An attacker controlling the remote endpoint could exploit this behavior to force requests to internal network resources, potentially exposing sensitive services or data. The issue is addressed by blocking redirects that resolve to loopback or unspecified addresses such as localhost.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
homeassistant is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 2026.2.2.
How to fix this
Upgrade the homeassistant library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant