CVE-2025-62172 is a stored cross-site scripting vulnerability affecting the Home Assistant core energy dashboard in versions 2025.1.0 through 2025.10.1. The vulnerability stems from improper neutralization of script-related HTML tags (CWE-80 and CWE-79) in the energy entity name field. Authenticated users can inject malicious JavaScript code into this field, which is then rendered unsanitized in the graph tooltips when any user hovers over data points. This flaw allows arbitrary script execution in the context of other users' sessions, potentially compromising session integrity, stealing credentials, or performing unauthorized actions. Notably, if an energy provider such as Tibber supplies a malicious default entity name, the vulnerability can be exploited without direct user input, increasing the attack surface. The vulnerability requires authentication but no user interaction for exploitation once the malicious name is present. The issue was publicly disclosed on October 14, 2025, and patched in version 2025.10.2. No known workarounds exist, and no exploits have been observed in the wild to date. The CVSS 4.0 base score of 5.3 reflects a medium severity, with network attack vector, low attack complexity, and no privileges beyond authentication required.

For European organizations using Home Assistant for home or building automation, this vulnerability poses a risk of session hijacking, unauthorized command execution, or data theft within the local automation environment. Since Home Assistant is often deployed in smart homes and small business environments, exploitation could lead to privacy breaches or manipulation of automation controls. The risk is elevated if energy providers integrated with Home Assistant supply malicious default entity names, enabling exploitation without direct attacker interaction. This could impact energy management, device control, and user data confidentiality. Although the vulnerability requires authenticated access, many Home Assistant deployments have multiple users or integrations that could be leveraged by attackers. The medium severity score suggests moderate impact, but the potential for lateral movement or escalation within smart home networks could amplify consequences. European organizations relying on Home Assistant for critical automation should consider this a significant security concern, especially given the lack of workarounds and the need to upgrade promptly.

The primary mitigation is to upgrade Home Assistant core to version 2025.10.2 or later, where the vulnerability is patched. Organizations should audit user accounts and integrations with energy providers to ensure no malicious entity names exist. Restricting user privileges to minimize who can create or modify energy entities reduces risk. Implement network segmentation to isolate Home Assistant instances from broader enterprise networks to limit lateral movement if exploitation occurs. Monitor logs for unusual changes to entity names or unexpected JavaScript execution patterns. Validate and sanitize all inputs from third-party integrations, especially energy providers, before ingestion. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious script injections in Home Assistant traffic. Educate users on the risks of authenticated XSS and enforce strong authentication controls to prevent unauthorized access. Finally, maintain regular backups and incident response plans tailored to smart home automation environments.