CVE-2025-62172 is a stored cross-site scripting (XSS) vulnerability affecting the Home Assistant core energy dashboard component in versions 2025.1.0 through 2025.10.1. The flaw stems from improper neutralization of script-related HTML tags (CWE-80) in the names of energy entities. Specifically, the energy dashboard renders entity names within graph tooltips without adequate sanitization, allowing an authenticated user to inject arbitrary JavaScript code into the entity name field. When other users hover over these data points, the malicious script executes in their browser context, potentially compromising session tokens, stealing sensitive information, or performing actions on behalf of the victim user. Moreover, if an energy provider such as Tibber supplies a malicious default name for an entity, the vulnerability can be triggered without direct user interaction, increasing the attack surface. The vulnerability requires authentication but no additional user interaction beyond hovering over the affected graph tooltip. The CVSS 4.0 base score is 8.5 (high severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and high impact on confidentiality, integrity, and availability. The issue was publicly disclosed on October 14, 2025, and patched in version 2025.10.2. No known exploits are currently in the wild, and no workarounds exist, emphasizing the importance of timely patching.

For European organizations using Home Assistant for home or building automation, this vulnerability poses significant risks. Exploitation could allow attackers to execute arbitrary JavaScript in the context of other authenticated users, leading to session hijacking, credential theft, unauthorized control of smart devices, or pivoting within internal networks. Given the growing adoption of smart home and building automation technologies in Europe, including in residential, commercial, and critical infrastructure sectors, the potential impact includes privacy violations, operational disruptions, and reputational damage. The ability to exploit the vulnerability without user interaction if a malicious energy provider supplies a compromised default entity name further elevates the threat. Organizations relying on Home Assistant for energy management should consider the risk of lateral movement and data exfiltration, especially where multiple users share access to the dashboard. The lack of known exploits in the wild provides a window for proactive mitigation, but the high severity score underscores the urgency of patching.

1. Immediately upgrade all Home Assistant core installations to version 2025.10.2 or later, where the vulnerability is patched. 2. Review and sanitize all existing energy entity names to remove any potentially malicious HTML or script content, especially those imported from external energy providers. 3. Restrict energy dashboard access to trusted authenticated users only and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of malicious user injection. 4. Monitor logs and user activity for unusual changes to entity names or unexpected dashboard interactions that could indicate exploitation attempts. 5. If possible, disable or limit integration with third-party energy providers until their data inputs can be verified as safe. 6. Educate users about the risks of interacting with untrusted content within the dashboard, particularly hovering over graph tooltips. 7. Implement Content Security Policy (CSP) headers in the Home Assistant web interface to restrict script execution sources, mitigating the impact of any injected scripts. 8. Regularly audit and update all Home Assistant components and dependencies to minimize exposure to similar vulnerabilities.