CVE-2025-65713 is a directory traversal vulnerability identified in the Downloader integration of Home Assistant Core versions before 2025.8.0. The vulnerability stems from insufficient validation of file paths during concatenation operations within the Downloader integration, which allows an attacker to craft malicious file paths that traverse directories outside the intended scope. This can enable unauthorized reading or writing of files on the underlying host system. Directory traversal vulnerabilities are critical because they can lead to exposure of sensitive configuration files, credentials, or system files, potentially facilitating further compromise. The flaw does not require authentication, meaning an attacker can exploit it remotely if the vulnerable service is exposed or accessible within a network. However, exploitation requires interaction with the Downloader integration, which is typically used to fetch files from external sources. No public exploits have been reported yet, but the vulnerability is publicly disclosed and patched in version 2025.8.0. Home Assistant is widely used in smart home and building automation environments, making this vulnerability relevant to organizations relying on such systems for operational technology. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The vulnerability affects confidentiality and integrity by allowing unauthorized file access and potential modification. Availability impact is limited unless critical system files are overwritten. The scope is limited to systems running vulnerable Home Assistant versions with the Downloader integration enabled. Given these factors, the vulnerability presents a significant risk, especially in environments with weak network segmentation or exposed interfaces.

For European organizations, the impact of CVE-2025-65713 could be substantial, particularly for those using Home Assistant in smart homes, office buildings, or industrial automation. Unauthorized access to configuration files or credentials could lead to further compromise of internal networks or IoT devices. Confidentiality breaches could expose sensitive user data or operational parameters. Integrity could be compromised if attackers modify files, potentially disrupting automation workflows or causing unsafe device behaviors. While no direct availability impact is reported, manipulation of critical files could indirectly cause service disruptions. Organizations with exposed Home Assistant instances or insufficient network segmentation are at higher risk. The vulnerability could also be leveraged as a foothold for lateral movement within corporate or residential networks. Given the increasing integration of smart devices in European infrastructure, this vulnerability poses a risk to privacy, operational continuity, and safety.

The primary mitigation is to upgrade Home Assistant Core to version 2025.8.0 or later, where the vulnerability is patched. Organizations should audit their deployments to identify instances running vulnerable versions with the Downloader integration enabled. Implement strict input validation and sanitization for any user-supplied file paths or URLs. Network segmentation should be enforced to isolate Home Assistant instances from critical internal networks and limit exposure to untrusted networks. Employ firewall rules to restrict access to the Home Assistant interface and Downloader integration endpoints. Monitor logs for suspicious file access patterns or unauthorized path traversal attempts. Consider disabling the Downloader integration if not required. Regularly update and patch Home Assistant and related components to reduce exposure to known vulnerabilities. Conduct security awareness training for administrators managing smart home or building automation systems.