Yalantis uCrop CVE-2025-14516
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Server-side request forgery in Yalantis uCrop 2.2.11 allows authenticated remote attackers to manipulate the downloadFile function in BitmapLoadTask.java URL handler, enabling arbitrary HTTP requests from the affected server. The vulnerability requires user authentication (PR:L) and carries limited confidentiality and integrity impact. Public exploit code exists, though the vendor has not responded to early disclosure attempts.
Technical ContextAI
The vulnerability exists in the BitmapLoadTask.java component of the uCrop image-cropping library, specifically within the downloadFile function that handles URL-based image loading. The underlying issue (CWE-918: Server-Side Request Forgery) arises from insufficient validation of user-supplied URLs before the application initiates HTTP requests. The URL handler accepts attacker-controlled input without proper sanitization, allowing an authenticated user to specify arbitrary URLs. The library then fetches content from these URLs on behalf of the server, exposing internal services, triggering requests to restricted endpoints, or accessing metadata services in cloud environments. This is a client-side library vulnerability that manifests when integrated into Android applications without additional validation layers.
RemediationAI
No vendor-released patch is available given the unresponsive vendor. Immediate remediation requires upgrading to a patched version if available from alternative sources, or replacing uCrop with a maintained image-cropping library that includes URL validation (such as Glide or Picasso, which have built-in request filtering). If uCrop 2.2.11 cannot be replaced immediately, implement compensating controls: enforce strict URL allowlisting in the application layer before passing URLs to uCrop (validate against a whitelist of permitted image domains), disable uCrop's network-based image loading and require pre-downloaded images, or restrict outbound network access from the application using network-level controls (firewall rules preventing access to internal IP ranges and metadata services). Monitor for evidence of SSRF exploitation in application logs (requests to unexpected destinations, 169.254.169.254 cloud metadata access, or internal service ports). Each mitigation trades functionality for security - allowlisting reduces user flexibility, pre-downloading adds latency, and network restrictions may break legitimate use cases; prioritize based on application threat model.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today