CVE-2025-43916 (GCVE-0-2025-43916)

Vulnerability from cvelistv5 – Published: 2025-04-21 00:00 – Updated: 2025-04-21 14:03
VLAI?
Summary
Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with "Decompiling the app revealed a hardcoded secret."
Severity ?
3.4 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE
  • CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions
Assigner
References
Impacted products
Vendor Product Version
Sonos api.sonos.com Affected: 0 , ≤ 2025-04-21 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43916",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T14:02:24.780069Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T14:03:20.440Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "api.sonos.com",
          "vendor": "Sonos",
          "versions": [
            {
              "lessThanOrEqual": "2025-04-21",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with \"Decompiling the app revealed a hardcoded secret.\""
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-647",
              "description": "CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-21T13:49:45.236Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/larlarua/vulnerability-reports/blob/main/CVE-2025-43916/detail.md"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-43916",
    "datePublished": "2025-04-21T00:00:00.000Z",
    "dateReserved": "2025-04-19T00:00:00.000Z",
    "dateUpdated": "2025-04-21T14:03:20.440Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-43916\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-04-21T14:15:36.593\",\"lastModified\":\"2025-04-21T14:23:45.950\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"exclusively-hosted-service\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with \\\"Decompiling the app revealed a hardcoded secret.\\\"\"},{\"lang\":\"es\",\"value\":\"Sonos api.sonos.com hasta el 21/04/2025, al usar el punto de acceso /login/v3/oauth, acepta un redirect_uri que contiene informaci\u00f3n de usuario en el componente de autoridad, lo cual no es coherente con la secci\u00f3n 5.2.3.5 de la RFC 6819. Es posible que se env\u00ede un c\u00f3digo de autorizaci\u00f3n a un destino controlado por el atacante. Esto podr\u00eda tener implicaciones adicionales en relaci\u00f3n con el caso \\\"La descompilaci\u00f3n de la aplicaci\u00f3n revel\u00f3 un secreto codificado\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N\",\"baseScore\":3.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-647\"}]}],\"references\":[{\"url\":\"https://github.com/larlarua/vulnerability-reports/blob/main/CVE-2025-43916/detail.md\",\"source\":\"cve@mitre.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-43916\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-21T14:02:24.780069Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-21T14:02:51.062Z\"}}], \"cna\": {\"tags\": [\"exclusively-hosted-service\"], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.4, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"Sonos\", \"product\": \"api.sonos.com\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2025-04-21\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://github.com/larlarua/vulnerability-reports/blob/main/CVE-2025-43916/detail.md\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with \\\"Decompiling the app revealed a hardcoded secret.\\\"\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-647\", \"description\": \"CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-04-21T13:49:45.236Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-43916\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-21T14:03:20.440Z\", \"dateReserved\": \"2025-04-19T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-04-21T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.