Yalantis uCrop CVE-2025-14517
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Yalantis uCrop 2.2.11 contains an improperly exported Android application component (UCropActivity) in AndroidManifest.xml that allows local attackers with application-level privileges to access the component via intent manipulation, potentially disclosing sensitive information. The vulnerability requires local access and user application permissions but affects confidentiality with low impact. Public exploit code is available, though the EPSS score of 0.06% suggests limited real-world exploitation despite public disclosure.
Technical ContextAI
The vulnerability stems from CWE-926 (Implicit Android Exported Component), a class of flaws affecting Android applications that fail to properly restrict component accessibility. The UCropActivity is exposed without explicit android:exported="false" declaration in AndroidManifest.xml, allowing other applications on the same device to send intents to it. uCrop is an Android image cropping library commonly embedded in third-party apps; improper export creates an attack surface for intent-based exploitation where malicious apps can manipulate the activity's functionality. The CPE cpe:2.3:a:yalantis:ucrop:2.2.11:*:*:*:*:*:*:* specifically identifies the affected library version.
RemediationAI
The primary fix requires application developers integrating uCrop 2.2.11 to explicitly declare the UCropActivity with android:exported="false" in their AndroidManifest.xml file. Developers should upgrade to a patched version of uCrop if available from community forks or alternative libraries, or manually patch the library's AndroidManifest.xml before compilation. Since Yalantis did not provide an official patch, the immediate workaround is to prevent intent-based access to the UCropActivity by setting android:exported="false" alongside removing any intent-filter declarations if not explicitly required. Applications should also implement explicit intent verification and only allow trusted callers to interact with the cropping component. For end users, no direct mitigation exists beyond avoiding installation of vulnerable apps; device administrators can restrict sideloading of untrusted applications to limit local attack surface.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today