Medium severity6.3OSV Advisory· Published Dec 28, 2025· Updated Apr 29, 2026

CVE-2025-15135

Description

A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component.

Affected products

Joey Zhou/Xiaozhi Esp32 Server JavaOSV
Range: v2.7.57, v2.7.60, v2.7.61, …

Patches

d69b616a46dd

Merge branch 'main' of https://github.com/joey-zhou/xiaozhi-esp32-server-java

https://github.com/joey-zhou/xiaozhi-esp32-server-javaJoeyZhouDec 17, 2025via osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000