CVE-2025-56400

Name of the Vulnerable Software and Affected Versions Tuya SDK version 6.5.0 Tuya Smart application Smartlife application

Description A Cross-Site Request Forgery (CSRF) issue exists in the OAuth implementation of the Tuya SDK. This affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications integrating the SDK. The applications do not validate the OAuth state parameter during the account linking process, which allows an attacker to link their Amazon Alexa account to a victim's Tuya account. An attacker can achieve this by tricking a victim into clicking a specially crafted authorization link, completing the OAuth flow on the victim’s behalf. This results in unauthorized Alexa access to the victim's Tuya-connected devices. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. The issue does not require the Tuya application to be active during the attack and affects users regardless of prior Alexa linkage.

Recommendations Update the Tuya Smart application to a newer version. Update the Smartlife application to a newer version. Update any third-party applications integrating the Tuya SDK to a newer version.