Is there a public PoC exploit available for CVE-2025-14516?

Yes, a public proof-of-concept exploit is available for CVE-2025-14516. Prioritise patching immediately. EPSS: 0.1%.

Yalantis uCrop CVE-2025-14516

Q: What is the CVSS score of CVE-2025-14516?

CVE-2025-14516 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2025-12-11 cna@vuldb.com

Java SSRF Ucrop

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:34 vuln.today

DescriptionNVD

A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in Yalantis uCrop 2.2.11 allows authenticated remote attackers to manipulate the downloadFile function in BitmapLoadTask.java URL handler, enabling arbitrary HTTP requests from the affected server. The vulnerability requires user authentication (PR:L) and carries limited confidentiality and integrity impact. Public exploit code exists, though the vendor has not responded to early disclosure attempts.

Technical ContextAI

The vulnerability exists in the BitmapLoadTask.java component of the uCrop image-cropping library, specifically within the downloadFile function that handles URL-based image loading. The underlying issue (CWE-918: Server-Side Request Forgery) arises from insufficient validation of user-supplied URLs before the application initiates HTTP requests. The URL handler accepts attacker-controlled input without proper sanitization, allowing an authenticated user to specify arbitrary URLs. The library then fetches content from these URLs on behalf of the server, exposing internal services, triggering requests to restricted endpoints, or accessing metadata services in cloud environments. This is a client-side library vulnerability that manifests when integrated into Android applications without additional validation layers.

RemediationAI

No vendor-released patch is available given the unresponsive vendor. Immediate remediation requires upgrading to a patched version if available from alternative sources, or replacing uCrop with a maintained image-cropping library that includes URL validation (such as Glide or Picasso, which have built-in request filtering). If uCrop 2.2.11 cannot be replaced immediately, implement compensating controls: enforce strict URL allowlisting in the application layer before passing URLs to uCrop (validate against a whitelist of permitted image domains), disable uCrop's network-based image loading and require pre-downloaded images, or restrict outbound network access from the application using network-level controls (firewall rules preventing access to internal IP ranges and metadata services). Monitor for evidence of SSRF exploitation in application logs (requests to unexpected destinations, 169.254.169.254 cloud metadata access, or internal service ports). Each mitigation trades functionality for security - allowlisting reduces user flexibility, pre-downloading adds latency, and network restrictions may break legitimate use cases; prioritize based on application threat model.

CVE-2025-14516 vulnerability details – vuln.today

Back