Lobby Universe Lobby App
CVE-2025-8257
LOW
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic was found in Lobby Universe Lobby App up to 2.8.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.maverick.lobby. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
AnalysisAI
Improper export of Android application components in Lobby Universe Lobby App versions 2.0 through 2.8.0 allows local attackers with user-level privileges to access sensitive functionality via the com.maverick.lobby component. The vulnerability stems from AndroidManifest.xml misconfiguration that exposes internal application activities without proper permission protection, enabling local privilege escalation or information disclosure. Publicly available exploit code exists, though exploitation requires local device access and authenticated user privileges.
Technical ContextAI
The vulnerability is rooted in CWE-926 (Improper Export of Android Application Components), which occurs when Android apps declare activities, services, broadcasts receivers, or content providers in AndroidManifest.xml with android:exported="true" or without explicit permission restrictions. This misconfiguration allows other installed applications or local processes running with user privileges to directly invoke these components, bypassing intended access controls. The Lobby Universe app component com.maverick.lobby violates Android security best practices by exposing functionality that should remain internal. This is a manifest-level configuration weakness rather than a code vulnerability, making it detectable through static analysis of the compiled APK.
RemediationAI
Developers must release a patched version (2.8.1 or later) that modifies AndroidManifest.xml to either remove android:exported="true" from the com.maverick.lobby component, or add explicit permission declarations (android:permission attribute) to restrict component access to authorized callers only. End users should update the Lobby Universe Lobby App to the latest version available in the Google Play Store once a patch is released. If no update is available within 30 days, users should review installed applications for suspicious permissions and consider uninstalling the Lobby app if not essential. Device administrators can implement Mobile Device Management (MDM) policies to restrict sideloading of unsigned APKs and enforce minimum app version requirements, though this requires enterprise deployment. The vulnerability cannot be mitigated through runtime configuration; only code/manifest changes or app removal eliminate the risk.
Share
External POC / Exploit Code
Leaving vuln.today