CVE-2025-59406

The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover this OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/	Exploit Third Party Advisory
https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf	Exploit Third Party Advisory
https://www.flocksafety.com/products	Product
https://www.flocksafety.com/products/license-plate-readers	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:flocksafety:flock_safety:6.21.11:*:*:*:*:android:*:*

History

No history.

Information

Published : 2025-10-02 17:16

Updated : 2025-10-24 17:27

NVD link : CVE-2025-59406

Mitre link : CVE-2025-59406

CVE.ORG link : CVE-2025-59406

JSON object : View

Products Affected

flocksafety

flock_safety

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2025-59406", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.5}]}, "published": "2025-10-02T17:16:06.880", "references": [{"url": "https://gainsec.com/2025/09/27/fly-by-device-2-the-falcon-sparrow-gated-wireless-rce-camera-feed-dos-information-disclosure-and-more/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://gainsec.com/wp-content/uploads/2025/09/Root-from-the-Coop-Device-3_-Root-Shell-on-Flock-Safetys-Bravo-Compute-Box-GainSec.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.flocksafety.com/products", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://www.flocksafety.com/products/license-plate-readers", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "The Flock Safety Pisco com.flocksafety.android.pisco application 6.21.11 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) has a cleartext Auth0 client secret in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover this OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software."}], "lastModified": "2025-10-24T17:27:12.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flocksafety:flock_safety:6.21.11:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "0CD8C06F-A79E-4CBE-80EF-7EB7CAB361C1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}