QwikSec

Security Database

CVE

CWE

Training

CVE-2025-15135

Published: Dec 28, 2025

Modified: Dec 29, 2025

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component.

Vendor	Product	Versions
joey-zhou	xiaozhi-esp32-server-java	affected `3.0` unaffected `4.0.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

VDB-338513 | joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication

vdb-entry

technical-description

VDB-338513 | CTI Indicators (IOB, IOC, IOA)

signature

permissions-required

Submit #713990 | joey-zhou xiaozhi-esp32-server-java V3.0.0 Improper Authentication

third-party-advisory

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143

issue-tracking

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issuecomment-3666534810

issue-tracking

https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issue-3722315701

exploit

issue-tracking

https://github.com/joey-zhou/xiaozhi-esp32-server-java/releases/tag/v4.0.0

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.