CVE-2025-14516
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14516
EUVD
EUVD-2025-202689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yalantis ucrop 2.2.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Yalantis uCrop version 2.2.11, specifically in the downloadFile function of the BitmapLoadTask.java file within the URL Handler component. It allows an attacker to perform server-side request forgery (SSRF) by manipulating the function, potentially causing the server to make unintended requests. The attack can be initiated remotely, and the exploit has been made public.

Impact Analysis

The vulnerability can impact you by allowing an attacker to make the server perform unauthorized requests to internal or external systems. This can lead to information disclosure, unauthorized access to internal resources, or further exploitation of the network behind the vulnerable server.

Detection Guidance

Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized outbound requests initiated by the vulnerable component, specifically targeting the downloadFile function in uCrop 2.2.11. Since the vulnerability allows manipulation of URL parameters to induce server-side requests, network monitoring tools can be used to detect unexpected external requests originating from the application. However, no specific detection commands or signatures are provided in the available resources. It is recommended to analyze logs for suspicious URL requests or use application-level logging to identify abnormal URL handling behavior. [1, 2]

Mitigation Strategies

Immediate mitigation steps include replacing the affected uCrop 2.2.11 component with an alternative product or a patched version if available. Since the vendor did not respond or provide any mitigation, no official patches exist. Additionally, restricting or filtering outbound requests from the affected system to only trusted destinations can reduce exploitation risk. Implementing strict input validation and sanitization on URL parameters before processing them can also help mitigate the vulnerability. [1, 2]

Mitigation Strategies

No official mitigations or patches are currently available as the vendor did not respond to the disclosure. It is suggested to consider replacing the affected uCrop 2.2.11 component with an alternative product to avoid exploitation of this SSRF vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart