CVE-2025-14617
Path Traversal in JW Library Android App Component SiloContainer
Publication date: 2025-12-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jehovahs_witnesses | jw_library_app | 15.5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal issue in the Jehovahs Witnesses JW Library App (up to version 15.5.1) on Android. It affects an unknown function within the component org.jw.jwlibrary.mobile.activity.SiloContainer. An attacker with local access can manipulate the application to traverse directories improperly, potentially accessing files outside the intended scope.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to files on the device due to path traversal. This could result in exposure or modification of sensitive data, impacting confidentiality, integrity, and availability of information within the app. However, local access is required to exploit this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-14617 involves monitoring for suspicious file import activities within the JW Library app, especially intents with ACTION_SEND containing path traversal payloads in the '_display_name' parameter. Since the exploit manipulates file paths to overwrite internal files, checking for unexpected modifications to files such as '/data/data/org.jw.jwlibrary.mobile/shared_prefs/org.jw.jwlibrary.mobile_preferences.xml' can indicate exploitation attempts. Commands to detect this could include using 'adb shell' to check file integrity or monitor logs for suspicious intents. For example, using 'adb shell su -c "ls -l /data/data/org.jw.jwlibrary.mobile/shared_prefs/"' to inspect files, or 'adb logcat | grep org.jw.jwlibrary.mobile' to monitor app logs for unusual activity. Additionally, monitoring for intents with crafted URIs via Android intent monitoring tools could help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to the device to prevent exploitation, as the attack requires local access. Since no official patches or countermeasures are documented, it is recommended to avoid using the vulnerable JW Library app version 15.5.1 and replace or update the app once a fixed version is available. Additionally, monitoring and restricting apps that can send intents to the vulnerable component may reduce risk. Applying general Android security best practices such as limiting app permissions and avoiding installation of untrusted applications can also help mitigate exploitation. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2025-14617 on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows arbitrary file overwrite and potential exposure or manipulation of sensitive internal files, it could lead to breaches of confidentiality, integrity, and availability of data. Such breaches may negatively affect compliance with data protection regulations that require safeguarding personal or sensitive information. No direct statements about compliance impact or regulatory consequences are given. [1, 2, 3]