CVE-2025-14516
BaseFortify
Publication date: 2025-12-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yalantis | ucrop | 2.2.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized outbound requests initiated by the vulnerable component, specifically targeting the downloadFile function in uCrop 2.2.11. Since the vulnerability allows manipulation of URL parameters to induce server-side requests, network monitoring tools can be used to detect unexpected external requests originating from the application. However, no specific detection commands or signatures are provided in the available resources. It is recommended to analyze logs for suspicious URL requests or use application-level logging to identify abnormal URL handling behavior. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected uCrop 2.2.11 component with an alternative product or a patched version if available. Since the vendor did not respond or provide any mitigation, no official patches exist. Additionally, restricting or filtering outbound requests from the affected system to only trusted destinations can reduce exploitation risk. Implementing strict input validation and sanitization on URL parameters before processing them can also help mitigate the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No official mitigations or patches are currently available as the vendor did not respond to the disclosure. It is suggested to consider replacing the affected uCrop 2.2.11 component with an alternative product to avoid exploitation of this SSRF vulnerability. [1]
Can you explain this vulnerability to me?
This vulnerability exists in Yalantis uCrop version 2.2.11, specifically in the downloadFile function of the BitmapLoadTask.java file within the URL Handler component. It allows an attacker to perform server-side request forgery (SSRF) by manipulating the function, potentially causing the server to make unintended requests. The attack can be initiated remotely, and the exploit has been made public.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to make the server perform unauthorized requests to internal or external systems. This can lead to information disclosure, unauthorized access to internal resources, or further exploitation of the network behind the vulnerable server.