| Title | uCrop Android Library uCrop 2.2.11 Intent Spoofing |
|---|
| Description | Hello, this is arrester. On June 10th, I reported the issue to the official uCrop library GitHub via the Security tab and also tagged the person in charge during the process to reach out, but since I still haven’t received any response, I am now reporting it to VulDB.
The Intent Spoofing vulnerability I discovered occurs because there is no input validation for `sourceUri` and `destinationUri` in `UCrop.of(sourceUri, destinationUri)`, which results in unauthorized access to specific file paths on the mobile device and file corruption (creation, overwriting, etc.). |
|---|
| Source | ⚠️ https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?source=copy_link |
|---|
| User | arrester (UID 93048) |
|---|
| Submission | 11/27/2025 19:38 (7 months ago) |
|---|
| Moderation | 12/11/2025 07:46 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 335855 [Yalantis uCrop 2.2.11 AndroidManifest.xml UCropActivity improper export of android application components] |
|---|
| Points | 17 |
|---|