CVE-2025-59406
BaseFortify
Publication date: 2025-10-02
Last updated on: 2025-10-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flocksafety | flock_safety | 6.21.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Flock Safety Pisco Android application embedding a cleartext Auth0 client secret directly in its codebase. Since the application binaries can be easily decompiled or inspected, attackers can recover this OAuth secret without needing special privileges. The secret is meant to be confidential and should not be included in client-side software.
How can this vulnerability impact me? :
An attacker who recovers the exposed OAuth client secret could potentially misuse it to impersonate the application or gain unauthorized access to services that rely on this secret for authentication, leading to security breaches or unauthorized data access.