CVE-2025-8257
BaseFortify
Publication date: 2025-07-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lobbyuniverse | lobby | 2.0 |
| lobbyuniverse | lobby | 2.1 |
| lobbyuniverse | lobby | 2.2 |
| lobbyuniverse | lobby | 2.3 |
| lobbyuniverse | lobby | 2.4 |
| lobbyuniverse | lobby | 2.5 |
| lobbyuniverse | lobby | 2.6 |
| lobbyuniverse | lobby | 2.7 |
| lobbyuniverse | lobby | 2.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-926 | The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. |
| CWE-NVD-CWE-Other |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8257 is a vulnerability in the Lobby Universe Lobby App for Android (up to version 2.8.0) caused by improper export of Android application components in the AndroidManifest.xml file. This improper export allows other local applications to access or manipulate these components without proper authorization, enabling a Task Hijacking attack. Through this, malicious apps can inherit permissions from the vulnerable app and potentially phish login credentials or misuse app functionality. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing malicious local applications on your Android device to hijack tasks of the vulnerable app, inherit its permissions, and potentially steal sensitive information such as login credentials. It compromises the confidentiality, integrity, and availability of the app's data and functionality, leading to unauthorized access and misuse. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the AndroidManifest.xml file of the Lobby Universe Lobby App (com.maverick.lobby) version 2.8.0 or earlier for improperly exported components. Since the vulnerability involves improper export of Android application components, you can check for exported components that do not have proper permission restrictions. Additionally, local access to the device is required to verify this. A suggested approach is to extract the APK and analyze the AndroidManifest.xml for exported components. Commands such as 'adb shell pm list packages' to identify the app, 'adb shell pm path com.maverick.lobby' to get the APK path, 'adb pull' to retrieve the APK, and tools like 'apktool' to decode the APK and inspect the AndroidManifest.xml can be used. Also, searching for exported components in the manifest file can be done with grep commands, e.g., 'grep -i export androidmanifest.xml'. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves modifying the AndroidManifest.xml file of the affected app to prevent improper export of components and task hijacking. This means ensuring that exported components have proper permission restrictions or are not exported unless necessary. Since the vulnerability requires local access and affects versions up to 2.8.0, updating the app to a fixed version (if available) or replacing it with an alternative product is recommended. If you have control over the app, review and restrict the exported components in the manifest. If not, limit local access to the device and avoid installing untrusted applications that could exploit this vulnerability. [1, 2]