| Title | uCrop Android Library 2.2.11 Server-Side Request Forgery |
|---|
| Description | Hello, this is arrester. On June 10th, I reported the issue to the official uCrop GitHub repository using the Security tab and even tagged the person in charge during the process, but since I still haven’t received a response, I am now submitting it to VulDB.
The SSRF vulnerability I discovered occurs due to insufficient input validation in the URL handling of the downloadFile function in com.yalantis.ucrop.task.BitmapLoadTask.java. |
|---|
| Source | ⚠️ https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446 |
|---|
| User | arrester (UID 93048) |
|---|
| Submission | 11/27/2025 19:36 (7 months ago) |
|---|
| Moderation | 12/11/2025 07:46 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 335854 [Yalantis uCrop 2.2.11 URL com.yalantis.ucrop.task.BitmapLoadTask.java downloadFile server-side request forgery] |
|---|
| Points | 17 |
|---|