CVE-2025-14516
Description
A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cna@vuldb.com — https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?pvs=25#039fe30a92dc4ed88c9b03f85418e92e
Vendor advisory: cna@vuldb.com — https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| yalantis | ucrop | 2.2.11 | |
References
- https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446
- https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?pvs=25#039fe30a92dc4ed88c9b03f85418e92e
- https://vuldb.com/?ctiid.335854
- https://vuldb.com/?id.335854
- https://vuldb.com/?submit.702810
CWEs
CWE-918
Verify integrity in audit chain (admin only). AS-IS.