Skip to content

45.0.1

Choose a tag to compare

View all tags
@github-actions github-actions released this 15 May 20:38
· 107 commits to refs/heads/main since this release
v45.0.1
ed64858
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security / DoS hardening

This release adds bounds checks for several DoS vectors that a misbehaving or compromised ESPHome device could use to OOM the client process (typically Home Assistant). All three require an established API session — i.e. a device the user has already adopted — but a malicious or buggy peer in that session was previously able to:

  • Stream CameraImageResponse chunks indefinitely or rotate cam_msg.key across ~4 billion values to grow the per-subscription reassembly buffer without bound. Affects every install that has an ESPHome camera. Fixed in #1648.
  • Send a length varuint of arbitrary size in plaintext mode (no noise_psk), causing the client to buffer up to that many bytes — easy multi-GiB allocation — or stream \x80\x80… indefinitely with no terminator, growing the receive buffer and forcing repeated O(N²) bigint shifts on every data_received. The noise path was incidentally protected by its fixed 16-bit length header; plaintext had no equivalent cap. Fixed in #1651.
  • Send msg_type=0, which silently routed the payload to the last registered protobuf class instead of dropping it as an unknown message type. Low impact in practice (the connection drops anyway when the parse fails) but a footgun for future code. Fixed in #1645.

Threat model is "adopted device misbehaves," not a remote unauthenticated attack. Plaintext-mode users should upgrade preferentially since #1651 lowers the bar to "anyone who can reach the device on the LAN" (no noise_psk means no auth on the wire and a network attacker can MITM).

What's Changed

  • Bound plaintext varuint length and frame size to prevent buffer-growth DoS (#1651) @bdraco
  • docs: add Cython gotchas section to CLAUDE.md (#1653) @bdraco
  • Don't let zeroconf init failure block the connect attempt (#1652) @bdraco
  • Bound camera image stream reassembly to prevent memory exhaustion (#1648) @bdraco
  • [ci] Use uv for pip installs in CI workflow (#1650) @bdraco
  • Pin ruff target-version to py311 (#1649) @bdraco
  • CLAUDE.md: fix inaccurate ruff target-version and future-import claims (#1647) @bdraco
  • Reject msg_type=0 in process_packet to prevent silent last-class fallback (#1645) @bdraco
  • Expand CLAUDE.md and add pr-workflow skill (#1646) @bdraco
  • Add benchmarks for hot paths affecting real users (#1638) @bdraco

Dependencies

3 changes

Contributors

bdraco
Assets 2
Loading