CVE-2024-32876
📋 TL;DR
CVE-2024-32876 allows arbitrary code execution in NewPipe Android app when users import malicious backup files. The vulnerability affects all users of NewPipe versions 0.13.4 through 0.26.1 who import backup files from untrusted sources.
💻 Affected Systems
- NewPipe
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the NewPipe app, data theft, potential Android sandbox escape leading to broader device compromise, and execution of arbitrary malicious code on the device.
Likely Case
App crash, theft of NewPipe user data (subscriptions, watch history), and limited malicious actions within the app's permissions.
If Mitigated
No impact if users only import backups from trusted sources or have updated to patched version.
🎯 Exploit Status
Exploitation requires user interaction to import malicious backup file. Attackers need to create specially crafted backup files using Java serialization vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.27.0
Vendor Advisory: https://github.com/TeamNewPipe/NewPipe/security/advisories/GHSA-wxrm-jhpf-vp6v
Restart Required: Yes
Instructions:
1. Update NewPipe to version 0.27.0 or later from official sources (F-Droid or GitHub). 2. Restart the app after update. 3. Avoid importing backup files from untrusted sources.
🔧 Temporary Workarounds
Disable backup import
androidAvoid importing any backup files until patched
No commands - manual app configuration
Use only trusted backups
androidOnly import backup files created by yourself or from completely trusted sources
No commands - user behavior
🧯 If You Can't Patch
- Do not import any backup files from external sources
- Uninstall NewPipe and use alternative video streaming apps
🔍 How to Verify
Check if Vulnerable:
Check NewPipe version in app settings. If version is between 0.13.4 and 0.26.1 inclusive, you are vulnerable.Check Version:
Open NewPipe → Settings → About → Check version numberVerify Fix Applied:
Update to version 0.27.0 or later and verify version in app settings.📡 Detection & Monitoring
Log Indicators:
- App crashes during backup import
- Unexpected Java serialization errors
- Suspicious class loading during backup processing
Network Indicators:
- No network indicators - exploitation is local file-based
SIEM Query:
Not applicable - local Android app vulnerability🔗 References
- https://docs.oracle.com/javase/6/docs/platform/serialization/spec/protocol.html
- https://github.com/TeamNewPipe/NewPipe/commit/a69bbab73220f36e53c801cf7e9ea3627bb017eb
- https://github.com/TeamNewPipe/NewPipe/releases/tag/v0.27.0
- https://github.com/TeamNewPipe/NewPipe/security/advisories/GHSA-wxrm-jhpf-vp6v
- https://docs.oracle.com/javase/6/docs/platform/serialization/spec/protocol.html
- https://github.com/TeamNewPipe/NewPipe/commit/a69bbab73220f36e53c801cf7e9ea3627bb017eb
- https://github.com/TeamNewPipe/NewPipe/releases/tag/v0.27.0
- https://github.com/TeamNewPipe/NewPipe/security/advisories/GHSA-wxrm-jhpf-vp6v
