CVE-2025-65835
📋 TL;DR
This vulnerability allows any local Android application to repeatedly crash any app using the vulnerable cordova-plugin-x-socialsharing plugin by sending crafted broadcasts. The crash occurs due to a null pointer dereference when the broadcast receiver processes malformed SEND intents. All Android applications that include version 6.0.4 of this Cordova plugin are affected.
💻 Affected Systems
- cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin)
📦 What is this software?
Cordova Social Sharing by Eddyverbruggen
⚠️ Risk & Real-World Impact
Worst Case
Persistent denial of service making the host application unusable until the malicious app is removed or the plugin is updated.
Likely Case
Intermittent application crashes when a malicious app targets the vulnerable application, disrupting user experience.
If Mitigated
No impact if the plugin is updated or the broadcast receiver is properly secured.
🎯 Exploit Status
Exploitation requires creating a simple Android app that sends broadcast intents. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.5 or later
Vendor Advisory: https://github.com/EddyVerbruggen/SocialSharing-PhoneGap-Plugin
Restart Required: Yes
Instructions:
1. Update cordova-plugin-x-socialsharing to version 6.0.5 or later using: cordova plugin remove cordova-plugin-x-socialsharing && cordova plugin add cordova-plugin-x-socialsharing@latest
2. Rebuild your Android application
3. Deploy the updated application to affected devices
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily remove the social sharing functionality until patched
cordova plugin remove cordova-plugin-x-socialsharing
Add permission protection
androidAdd android:permission attribute to the broadcast receiver in AndroidManifest.xml
Edit AndroidManifest.xml to add: android:permission="your.custom.permission" to the nl.xservices.plugins.ShareChooserPendingIntent receiver declaration
🧯 If You Can't Patch
- Isolate vulnerable applications on separate devices from untrusted apps
- Implement mobile application management (MAM) controls to prevent installation of untrusted applications
🔍 How to Verify
Check if Vulnerable:
Check if cordova-plugin-x-socialsharing version 6.0.4 is installed: cordova plugin list | grep cordova-plugin-x-socialsharingCheck Version:
cordova plugin list | grep cordova-plugin-x-socialsharingVerify Fix Applied:
Verify plugin version is 6.0.5 or higher: cordova plugin list | grep cordova-plugin-x-socialsharing📡 Detection & Monitoring
Log Indicators:
- Repeated NullPointerException crashes in Android logs from nl.xservices.plugins.ShareChooserPendingIntent
- Frequent application crashes with stack traces pointing to the social sharing plugin
Network Indicators:
- No network indicators - this is a local vulnerability
SIEM Query:
android_logs source="*" message="*NullPointerException*" AND message="*nl.xservices.plugins.ShareChooserPendingIntent*"