FKIE_CVE-2025-56400

Vulnerability from fkie_nvd - Published: 2025-11-24 20:15 - Updated: 2025-12-30 17:51
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.
References
cve@mitre.orghttp://tuya.comBroken Link
cve@mitre.orghttps://src.tuya.com/announcement/30Vendor Advisory
Impacted products
Vendor Product Version
tuya smartlife 6.3.1
tuya smartlife 6.3.4
tuya tuya *
tuya tuya *
tuya tuya_smart 6.3.1
tuya tuya_smart 6.3.1
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tuya:smartlife:6.3.1:*:*:*:*:iphone_os:*:*",
              "matchCriteriaId": "0CF67072-EEB4-450F-AF95-AD156911D384",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tuya:smartlife:6.3.4:*:*:*:*:android:*:*",
              "matchCriteriaId": "04E6387D-69E1-45A0-B7D9-193FB792E119",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tuya:tuya:*:*:*:*:*:android:*:*",
              "matchCriteriaId": "61AEDA2E-C69C-45DB-899C-6A4BB5497CF3",
              "versionEndExcluding": "6.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tuya:tuya:*:*:*:*:*:iphone_os:*:*",
              "matchCriteriaId": "DF11CD85-42F0-47A4-998B-A666B8DA69FE",
              "versionEndExcluding": "6.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tuya:tuya_smart:6.3.1:*:*:*:*:android:*:*",
              "matchCriteriaId": "C64E24CF-3387-4E95-9C42-84605B5CC230",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tuya:tuya_smart:6.3.1:*:*:*:*:iphone_os:*:*",
              "matchCriteriaId": "37DD5BCF-A48D-460D-90BC-AB7D59035558",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim\u0027s Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim\u0027s behalf, resulting in unauthorized Alexa access to the victim\u0027s Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms."
    }
  ],
  "id": "CVE-2025-56400",
  "lastModified": "2025-12-30T17:51:20.047",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-24T20:15:49.560",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "http://tuya.com"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://src.tuya.com/announcement/30"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        },
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.