⬆️ Update esphome to v2025.12.7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
esphome	==2025.12.3 → ==2025.12.7

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

ESPHome vulnerable to denial-of-service via out-of-bounds check bypass in the API component

CVE-2026-23833 / GHSA-4h3h-63v6-88qx

More information

Details

Summary

An integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used.

Details

The bounds check ptr + field_length > end in components/api/proto.cpp can overflow when a malicious client sends a large field_length value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash.

When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required.

Affected Versions

ESPHome 2025.9.0 through 2025.12.6

Mitigation

• Upgrade to ESPHome 2025.12.7 or later (or 2026.1.0b3 or later)
• Enable API encryption with a unique key per device
• Follow the Security Best Practices

Severity

Low - Users following Security Best Practices with API encryption enabled are not affected without knowledge of the encryption key.

Impact

Denial-of-service. An attacker with network access to port 6053 can crash and reboot the device.

Credits

Thanks to @​Mat931 for responsibly reporting this vulnerability.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx
• https://nvd.nist.gov/vuln/detail/CVE-2026-23833
• https://github.com/esphome/esphome/pull/13306
• https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6
• https://esphome.io/guides/security_best_practices
• https://github.com/advisories/GHSA-4h3h-63v6-88qx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

esphome/esphome (esphome)

v2025.12.7

Compare Source

• [i2s_audio] Bugfix: Buffer overflow in software volume control esphome#13190 by @​kahrendt
• [api] Use subtraction for protobuf bounds checking esphome#13306 by @​bdraco

v2025.12.6

Compare Source

• [espnow] fix channel validation esphome#13057 by @​ssieb
• [seeed_mr24hpc1] Add ifdef guards for conditional entity types esphome#13147 by @​swoboda1337
• [ltr_als_ps] Remove incorrect device_class from count sensors esphome#13167 by @​swoboda1337
• [packet_transport] Fix packet size check to account for round4 padding esphome#13165 by @​swoboda1337
• [remote_transmitter] Fix ESP8266 timing by using busy loop esphome#13172 by @​swoboda1337
• [esphome] Fix OTA backend abort not being called on error esphome#13182 by @​bdraco

v2025.12.5

Compare Source

• [lvgl] Fix arc background angles esphome#12773 by @​clydebarrow
• [sn74hc595]: fix 'Attempted read from write-only channel' when using esp-idf framework esphome#12801 by @​aanikei
• [wts01] Fix negative values for WTS01 sensor esphome#12835 by @​cnrd
• [esp32_ble] Remove requirement for configured network esphome#12891 by @​clydebarrow
• [cc1101] Add PLL lock verification and retry support esphome#13006 by @​swoboda1337

v2025.12.4

Compare Source

• [hub75] Add clipping check esphome#12762 by @​stuartparmenter
• [wifi] Fix ESP-IDF reporting connected before DHCP completes on reconnect esphome#12755 by @​bdraco
• [docker] Add build-essential to fix ruamel.yaml 0.19.0 compilation esphome#12769 by @​bdraco

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}