CVE-2025-56400

Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://tuya.com	Broken Link
https://src.tuya.com/announcement/30	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tuya:smartlife:6.3.1:::::iphone_os::
	cpe:2.3:a:tuya:smartlife:6.3.4:::::android::
	cpe:2.3:a:tuya:tuya::::::android::*
	cpe:2.3:a:tuya:tuya::::::iphone_os::*
	cpe:2.3:a:tuya:tuya_smart:6.3.1:::::android::
	cpe:2.3:a:tuya:tuya_smart:6.3.1:::::iphone_os::

History

No history.

Information

Published : 2025-11-24 20:15

Updated : 2025-12-30 17:51

NVD link : CVE-2025-56400

Mitre link : CVE-2025-56400

CVE.ORG link : CVE-2025-56400

JSON object : View

Products Affected

tuya

smartlife
tuya
tuya_smart

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-384

Session Fixation

{"id": "CVE-2025-56400", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-11-24T20:15:49.560", "references": [{"url": "http://tuya.com", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://src.tuya.com/announcement/30", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms."}], "lastModified": "2025-12-30T17:51:20.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tuya:smartlife:6.3.1:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "0CF67072-EEB4-450F-AF95-AD156911D384"}, {"criteria": "cpe:2.3:a:tuya:smartlife:6.3.4:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "04E6387D-69E1-45A0-B7D9-193FB792E119"}, {"criteria": "cpe:2.3:a:tuya:tuya:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "61AEDA2E-C69C-45DB-899C-6A4BB5497CF3", "versionEndExcluding": "6.5.0"}, {"criteria": "cpe:2.3:a:tuya:tuya:*:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "DF11CD85-42F0-47A4-998B-A666B8DA69FE", "versionEndExcluding": "6.5.0"}, {"criteria": "cpe:2.3:a:tuya:tuya_smart:6.3.1:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "C64E24CF-3387-4E95-9C42-84605B5CC230"}, {"criteria": "cpe:2.3:a:tuya:tuya_smart:6.3.1:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "37DD5BCF-A48D-460D-90BC-AB7D59035558"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}