Login Sign Up

CVE-2025-14516

6.3 MEDIUM
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Yalantis uCrop Android library version 2.2.11. The vulnerability allows attackers to make unauthorized requests from the vulnerable server to internal systems, potentially accessing sensitive data or services. Android applications using this vulnerable library version are affected.

💻 Affected Systems

Products:
  • Yalantis uCrop Android library
Versions: 2.2.11
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android applications that use the vulnerable uCrop library version.

📦 What is this software?

Ucrop by Yalantis

View all CVEs affecting Ucrop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to attack other internal systems from the vulnerable server.

🟠

Likely Case

Information disclosure from internal services, potential access to cloud metadata services, or scanning of internal networks.

🟢

If Mitigated

Limited impact if network segmentation restricts outbound connections and internal services require authentication.

🌐 Internet-Facing: MEDIUM - Requires user interaction in mobile app context, but exploit is public and could be triggered through malicious content.
🏢 Internal Only: LOW - Primarily affects mobile applications, not typically deployed as internal services.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available and could be integrated into malicious apps or content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Check if your Android app uses uCrop 2.2.11
2. Monitor for vendor updates
3. Consider alternative libraries or implementing custom validation

🔧 Temporary Workarounds

Input validation and URL filtering

all

Implement strict validation of URLs passed to uCrop functions, whitelist allowed domains, and block internal/private IP addresses.

Network restrictions

all

Configure network policies to restrict outbound connections from mobile apps to only necessary external services.

🧯 If You Can't Patch

  • Implement application-level URL validation before passing to uCrop
  • Use network segmentation to limit what internal services the vulnerable app can access

🔍 How to Verify

Check if Vulnerable:

Check your Android app's build.gradle or dependencies for 'com.yalantis.ucrop:ucrop:2.2.11'

Check Version:

grep -r "com.yalantis.ucrop" build.gradle or check dependencies in Android Studio

Verify Fix Applied:

Verify the library version has been updated to a patched version when available

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from mobile apps to internal IP ranges
  • Requests to metadata services (169.254.169.254, etc.)

Network Indicators:

  • HTTP requests from mobile apps to unexpected internal destinations
  • Port scanning patterns from mobile app instances

SIEM Query:

source="mobile-app" AND dest_ip IN (RFC1918_ranges, localhost, metadata_services)

📊 Metadata

CVE ID: CVE-2025-14516
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-918
EPSS Score: 0.05% exploit probability (14.2th percentile)
Published: December 11, 2025
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14516, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)