The WebServer component of the arduino-esp32 core implements HTTP Digest authentication, but it incorrectly uses the URI supplied in the client’s Authorization header to calculate the response hash without verifying that it matches the actual requested resource. This flaw allows an attacker who knows a valid digest response for one protected URI (URI‑A) to replay that response to a different protected URI (URI‑B). The result is a bypass of per‑resource access controls, permitting the attacker to obtain data and services that should be restricted to authenticated users. The vulnerability is the classic authentication bypass weakness identified as CWE‑287.

Espressif’s Arduino core for the ESP32 family, including ESP32, ESP32‑S2, ESP32‑S3, ESP32‑C3, ESP32‑C6 and ESP32‑H2 microcontrollers. All releases prior to version 3.3.8 are affected. The issue is resolved in release 3.3.8 and later.

The CVSS score of 7.5 classifies the vulnerability as high severity. EPSS data is currently unavailable, but the flaw resides in a widely exposed WebServer endpoint, making the attack vector most likely be remote over a network connection. An attacker only needs a valid digest response for a legitimate resource; once obtained they can replay it to any other protected URI. Because the vulnerability exploits an authentication weakness rather than a code execution flaw, exploitation is relatively low‑effort for users who can capture or guess a digest challenge, and the impact can be significant for sensitive or confidential resources. The vulnerability is not listed in the CISA KEV catalog at this time, but it remains a high‑risk operational issue for systems that rely on the affected firmware.