CVE-2025-56400 – A CSRF vulnerability in Tuya SDK's OAuth implem... (How to Fix)

Q: What is the severity of CVE-2025-56400?

CVE-2025-56400 has a CVSS score of 8.8 (HIGH). A CSRF vulnerability in Tuya SDK's OAuth implementation allows attackers to link their Amazon Alexa account to victims' Tuya accounts without consent. This affects all users of Tuya Smart, Smartlife, and third-party apps using SDK 6.5.0 on Android/iOS, regardless of prior Alexa setup. Successful exploitation enables unauthorized remote control of connected smart devices.

📋 TL;DR

A CSRF vulnerability in Tuya SDK's OAuth implementation allows attackers to link their Amazon Alexa account to victims' Tuya accounts without consent. This affects all users of Tuya Smart, Smartlife, and third-party apps using SDK 6.5.0 on Android/iOS, regardless of prior Alexa setup. Successful exploitation enables unauthorized remote control of connected smart devices.

💻 Affected Systems

Products:

Tuya Smart mobile app
Smartlife mobile app
Third-party applications using Tuya SDK 6.5.0

Versions: SDK version 6.5.0

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations using vulnerable SDK version; vulnerability exists in OAuth account linking flow for Amazon Alexa integration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full remote control over victim's smart home devices including security cameras, door locks, and alarms, potentially enabling physical intrusion, surveillance, or safety system manipulation.

🟠

Likely Case

Attacker links their Alexa account to victim's Tuya account, gaining voice/app control over smart devices like lights, plugs, and thermostats for harassment or data collection.

🟢

If Mitigated

With proper OAuth state validation and CSRF protections, no unauthorized account linking occurs, maintaining device control integrity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires victim to click crafted authorization link; no authentication needed beyond victim interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SDK version >6.5.0

Vendor Advisory: https://src.tuya.com/announcement/30

Restart Required: Yes

Instructions:

1. Update Tuya SDK to latest version (>6.5.0). 2. Update all affected mobile applications. 3. Restart applications after update.

🔧 Temporary Workarounds

Disable Alexa Integration

all

Temporarily disable Amazon Alexa account linking in Tuya/Smartlife apps

Network Segmentation

all

Isolate smart home devices on separate network VLAN

🧯 If You Can't Patch

Monitor for unauthorized Alexa account linking in Tuya account settings
Disable remote access features for critical devices like cameras and door locks

🔍 How to Verify

Check if Vulnerable:

Check if mobile app uses Tuya SDK version 6.5.0 in app settings or developer documentation

Check Version:

Check app settings → About or consult app store version information

Verify Fix Applied:

Verify SDK version is >6.5.0 and test OAuth state parameter validation during Alexa account linking

📡 Detection & Monitoring

Log Indicators:

Unexpected Alexa account linking events
Multiple OAuth authorization attempts from different IPs

Network Indicators:

HTTP requests to OAuth endpoints without proper state parameters
Unusual authorization redirect patterns

SIEM Query:

source="tuya_app" AND event="oauth_authorization" AND state_parameter="null" OR state_parameter=""

📊 Metadata

CVE ID: CVE-2025-56400

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.03% exploit probability (6.4th percentile)

Published: November 24, 2025

Last Updated: December 30, 2025

🔗 References

http://tuya.com Broken Link
https://src.tuya.com/announcement/30 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56400, you might also want to check these: