CVE-2025-65713 — Home Assistant Core before is vulnerable to Directory Traversal

Description

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability.

How to fix CVE-2025-65713

To remediate CVE-2025-65713, upgrade the affected package to a fixed version below.

PyPI/homeassistant—upgrade to 2025.8.0 or later

Is CVE-2025-65713 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2025.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-65713
PATCHgithub.com/home-assistant/core
WEBgist.github.com/GenoWang/7359360285e0fe21a7a58d10ff71d032
WEBgithub.com/home-assistant/core/blob/a4d12694dae82f10e2ca9c524e44a22ab7dacf66/homeassistant/components/downloader/services.py#L32