CVE-2025-56400
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-12-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tuya | smartlife | 6.3.1 |
| tuya | smartlife | 6.3.4 |
| tuya | tuya | to 6.5.0 (exc) |
| tuya | tuya | to 6.5.0 (exc) |
| tuya | tuya_smart | 6.3.1 |
| tuya | tuya_smart | 6.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the OAuth implementation of the Tuya SDK 6.5.0 used in Tuya Smart and Smartlife mobile apps and other third-party apps integrating the SDK. The apps do not properly validate the OAuth state parameter during account linking, allowing an attacker to trick a victim into clicking a crafted authorization link. This lets the attacker link their own Amazon Alexa account to the victim's Tuya account without the victim's consent.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized access to the victim's Tuya-connected devices via their own Alexa account. This could allow remote control of devices such as cameras, doorbells, door locks, or alarms, potentially compromising the victim's security and privacy.