Login Sign Up

CVE-2025-14517

5.3 MEDIUM
SSRF

📋 TL;DR

This vulnerability in Yalantis uCrop library allows improper export of Android application components, potentially enabling local attackers to spoof intents or perform SSRF attacks. It affects Android applications using uCrop 2.2.11 for image cropping functionality. The vulnerability requires local access to the device for exploitation.

💻 Affected Systems

Products:
  • Yalantis uCrop Android library
Versions: 2.2.11
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android apps that integrate uCrop library. Vulnerability is in UCropActivity component export configuration.

📦 What is this software?

Ucrop by Yalantis

View all CVEs affecting Ucrop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker could execute arbitrary activities, access sensitive app data, or perform server-side request forgery to internal network resources.

🟠

Likely Case

Malicious app on same device could intercept or manipulate image cropping operations, potentially accessing or modifying user images.

🟢

If Mitigated

With proper Android permissions and sandboxing, impact limited to data within the vulnerable app's scope.

🌐 Internet-Facing: LOW - requires local device access, not remotely exploitable.
🏢 Internal Only: MEDIUM - local exploitation possible but requires malicious app installation or physical access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local app installation or physical device access. Public disclosure includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Consider removing or replacing uCrop library with alternative solution.

🔧 Temporary Workarounds

Manifest configuration fix

all

Modify AndroidManifest.xml to properly configure UCropActivity export attribute

Edit AndroidManifest.xml: Set android:exported="false" for UCropActivity if not needed externally, or implement proper intent filters and permissions

🧯 If You Can't Patch

  • Implement runtime permission checks and input validation for UCropActivity intents
  • Use Android's permission system to restrict which apps can interact with UCropActivity

🔍 How to Verify

Check if Vulnerable:

Check if app uses uCrop 2.2.11 and inspect AndroidManifest.xml for UCropActivity with improper export configuration

Check Version:

Check build.gradle dependencies for 'com.yalantis:ucrop:2.2.11'

Verify Fix Applied:

Verify UCropActivity has proper android:exported attribute and intent filters in AndroidManifest.xml

📡 Detection & Monitoring

Log Indicators:

  • Unexpected intent calls to UCropActivity
  • Permission denial logs for UCropActivity access attempts

Network Indicators:

  • Unexpected outbound requests from app following image cropping operations

SIEM Query:

Android logs: activity UCropActivity with suspicious intent parameters or from untrusted source packages

📊 Metadata

CVE ID: CVE-2025-14517
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-926
EPSS Score: 0.02% exploit probability (2.8th percentile)
Published: December 11, 2025
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14517, you might also want to check these:

CVE-2025-15464 7.5

This vulnerability allows external applications to bypass security controls and directly launch Gmai...

Same vulnerability type (CWE-926)
CVE-2023-41960 7.1

This vulnerability allows unprivileged third-party Android apps to interact with an improperly secur...

Same vulnerability type (CWE-926)
CVE-2023-20962 5.5

This vulnerability in Android 13 allows malicious apps to start foreground activities from the backg...

Same vulnerability type (CWE-926)