Yalantis uCrop CVE-2025-14517
LOWCVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Yalantis uCrop 2.2.11 contains an improperly exported Android application component (UCropActivity) in AndroidManifest.xml that allows local attackers with application-level privileges to access the component via intent manipulation, potentially disclosing sensitive information. The vulnerability requires local access and user application permissions but affects confidentiality with low impact. Public exploit code is available, though the EPSS score of 0.06% suggests limited real-world exploitation despite public disclosure.
Technical ContextAI
The vulnerability stems from CWE-926 (Implicit Android Exported Component), a class of flaws affecting Android applications that fail to properly restrict component accessibility. The UCropActivity is exposed without explicit android:exported="false" declaration in AndroidManifest.xml, allowing other applications on the same device to send intents to it. uCrop is an Android image cropping library commonly embedded in third-party apps; improper export creates an attack surface for intent-based exploitation where malicious apps can manipulate the activity's functionality. The CPE cpe:2.3:a:yalantis:ucrop:2.2.11:*:*:*:*:*:*:* specifically identifies the affected library version.
RemediationAI
The primary fix requires application developers integrating uCrop 2.2.11 to explicitly declare the UCropActivity with android:exported="false" in their AndroidManifest.xml file. Developers should upgrade to a patched version of uCrop if available from community forks or alternative libraries, or manually patch the library's AndroidManifest.xml before compilation. Since Yalantis did not provide an official patch, the immediate workaround is to prevent intent-based access to the UCropActivity by setting android:exported="false" alongside removing any intent-filter declarations if not explicitly required. Applications should also implement explicit intent verification and only allow trusted callers to interact with the cropping component. For end users, no direct mitigation exists beyond avoiding installation of vulnerable apps; device administrators can restrict sideloading of untrusted applications to limit local attack surface.
More from same product – last 7 days
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum
Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration
Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app send
Share
External POC / Exploit Code
Leaving vuln.today