CVE-2025-61117 identifies a security vulnerability in the Senza: Keto & Fasting Android application, specifically version 2.10.15. The vulnerability arises from improper access control in the app's user data API endpoints, which fail to adequately verify the legitimacy of requests for authentication tokens. Attackers exploiting this flaw can retrieve valid authentication tokens without proper authorization, enabling them to perform account takeovers. This compromises user accounts, allowing unauthorized access to personal health and dietary information stored within the app. The vulnerability impacts the confidentiality and integrity of user data and could lead to privacy violations and misuse of the platform, such as fraudulent activity or manipulation of user data. No CVSS score has been assigned yet, and there are no known exploits in the wild, but the nature of the vulnerability suggests a significant risk. The app's reliance on token-based authentication without sufficient validation is the root cause, indicating a failure in enforcing proper access control policies on API endpoints. This type of vulnerability is particularly dangerous in health-related applications where sensitive personal data is involved. The vulnerability was reserved in late September 2025 and published in late October 2025, indicating recent discovery and disclosure. No patches or fixes have been linked yet, highlighting the urgency for developers and users to address the issue promptly.

For European organizations and users, this vulnerability poses a serious risk to personal data privacy and security. Health and diet tracking apps often contain sensitive information, including health metrics, dietary habits, and potentially location data. Unauthorized access through account takeover can lead to exposure of this sensitive data, violating GDPR and other privacy regulations prevalent in Europe. Organizations that integrate or recommend this app risk reputational damage and potential regulatory penalties if user data is compromised. Additionally, attackers could misuse compromised accounts for fraudulent activities or to spread misinformation. The impact extends beyond individual users to healthcare providers or wellness programs that rely on accurate user data. Given the widespread use of Android devices in Europe and the popularity of health apps, the scope of affected users could be substantial. The lack of a patch increases the window of exposure, emphasizing the need for immediate mitigation measures.

1. Developers should urgently implement and deploy patches that enforce strict access control on all user data API endpoints, ensuring authentication tokens cannot be retrieved without proper authorization. 2. Introduce multi-factor authentication (MFA) to reduce the risk of account takeover even if tokens are compromised. 3. Conduct thorough security audits and penetration testing focused on API endpoint security and token management. 4. Users should be advised to update the app immediately once a patch is released and to monitor their accounts for suspicious activity. 5. Implement rate limiting and anomaly detection on API endpoints to detect and block suspicious token requests. 6. Educate users on recognizing phishing attempts or suspicious communications that might exploit this vulnerability. 7. Organizations using the app should consider temporary suspension of its use until a secure version is available, especially in regulated environments. 8. Employ encryption and secure storage of authentication tokens on the client side to prevent token theft from the device.