CVE-2025-56400
中文标题:
(暂无数据)
英文标题:
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 fo...
漏洞描述
中文描述:
(暂无数据)
英文描述:
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| tuya | smartlife | 6.3.1 | - | - |
cpe:2.3:a:tuya:smartlife:6.3.1:*:*:*:*:iphone_os:*:*
|
| tuya | smartlife | 6.3.4 | - | - |
cpe:2.3:a:tuya:smartlife:6.3.4:*:*:*:*:android:*:*
|
| tuya | tuya | * | - | - |
cpe:2.3:a:tuya:tuya:*:*:*:*:*:android:*:*
|
| tuya | tuya_smart | 6.3.1 | - | - |
cpe:2.3:a:tuya:tuya_smart:6.3.1:*:*:*:*:android:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (adp)
HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-56400 |
2025-11-25 02:04:31 | 2026-01-12 02:12:05 |
| NVD | nvd_CVE-2025-56400 |
2025-12-31 03:17:09 | 2026-01-12 02:27:53 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 0 -> 4
- data_sources: ['cve'] -> ['cve', 'nvd']