← Back
2025-12-28 12:2CVE-2025-15135VulDB
PUBLISHED5.2CWE-287

joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication

A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component.

Problem type

Affected products

joey-zhou

xiaozhi-esp32-server-java

3.0 - AFFECTED

4.0.0 - UNAFFECTED

References

VDB-338513 | joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication

https://vuldb.com/?id.338513

vdb-entrytechnical-description
VDB-338513 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/?ctiid.338513

signaturepermissions-required
Submit #713990 | joey-zhou xiaozhi-esp32-server-java V3.0.0 Improper Authentication

https://vuldb.com/?submit.713990

third-party-advisory
github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143

issue-tracking
github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issuecomment-3666534810

issue-tracking
github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issue-3722315701

exploitissue-tracking
github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/releases/tag/v4.0.0

patch

GitHub Security Advisories

GHSA-7x46-g3w8-h64v

A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts...

https://github.com/advisories/GHSA-7x46-g3w8-h64v

A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-15135

github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143

github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issue-3722315701

github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issuecomment-3666534810

github.com

https://github.com/joey-zhou/xiaozhi-esp32-server-java/releases/tag/v4.0.0

vuldb.com

https://vuldb.com/?ctiid.338513

vuldb.com

https://vuldb.com/?id.338513

vuldb.com

https://vuldb.com/?submit.713990

github.com

https://github.com/advisories/GHSA-7x46-g3w8-h64v

JSON source

https://cveawg.mitre.org/api/cve/CVE-2025-15135
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2025-15135",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2025-12-28T12:02:07.346Z",
    "dateReserved": "2025-12-27T09:52:55.766Z",
    "datePublished": "2025-12-28T12:02:07.346Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2025-12-28T12:02:07.346Z"
      },
      "title": "joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication",
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component."
        }
      ],
      "affected": [
        {
          "vendor": "joey-zhou",
          "product": "xiaozhi-esp32-server-java",
          "modules": [
            "Cookie Handler"
          ],
          "versions": [
            {
              "version": "3.0",
              "status": "affected"
            },
            {
              "version": "4.0.0",
              "status": "unaffected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Authentication",
              "cweId": "CWE-287",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.338513",
          "name": "VDB-338513 | joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.338513",
          "name": "VDB-338513 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.713990",
          "name": "Submit #713990 | joey-zhou xiaozhi-esp32-server-java V3.0.0 Improper Authentication",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143",
          "tags": [
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issuecomment-3666534810",
          "tags": [
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issue-3722315701",
          "tags": [
            "exploit",
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/joey-zhou/xiaozhi-esp32-server-java/releases/tag/v4.0.0",
          "tags": [
            "patch"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
            "baseScore": 6.5
          }
        }
      ],
      "timeline": [
        {
          "time": "2025-12-27T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2025-12-27T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2025-12-27T10:58:22.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "zzdzz (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}