Description

Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.

INFO

Published Date :

2025-11-24T00:00:00.000Z

Last Modified :

2025-11-24T20:14:42.080Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-56400 vulnerability.

Vendors Products
Apple
  • Ios
Google
  • Android
Tuya
  • Smart
  • Smartlife
  • Tuya
  • Tuya Smart
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-56400.

URL Resource
http://tuya.com cve-icon cve-icon
https://src.tuya.com/announcement/30 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact