CVE 8.8 HIGH

CVE-2025-56400_CVE-2025-56400

November 24, 2025 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.

AI Analysis

Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK

Basic Information

ID CVE-2025-56400
Source mitre
Published Nov 24, 2025 at 00:00
Modified Nov 24, 2025 at 20:14

Affected Product

Vendor Tuya
Product Tuya SDK
Version 6.5.0
Affected Versions n/a n/a n/a

CWE Classification

CWE-352 CWE-384

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor Tuya
Product Tuya SDK
Version 6.5.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.