CVE-2025-14517 identifies a vulnerability in the Yalantis uCrop Android library version 2.2.11, specifically related to the improper export of application components declared in the AndroidManifest.xml file, notably the UCropActivity. Android components such as activities, services, and broadcast receivers can be exported unintentionally if not properly configured, allowing other applications or local attackers to interact with them in unintended ways. In this case, the vulnerability allows a local attacker with limited privileges (PR:L) to manipulate the UCropActivity component due to its improper export settings. This could lead to unauthorized access to app functionality or data leakage. The attack vector is local (AV:L), meaning the attacker must have access to the device or an app running on it. No user interaction is required (UI:N), and the attack complexity is low (AC:L). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). The vendor was contacted but did not respond, and no patch is currently available. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are reported in the wild. The CVSS 4.0 base score is 4.8, reflecting a medium severity level. This vulnerability is particularly relevant for developers and organizations embedding uCrop 2.2.11 in their Android applications, as it could be exploited by malicious local apps or users to gain unintended access or disrupt app behavior.

For European organizations, the impact of CVE-2025-14517 primarily concerns mobile applications that integrate the vulnerable uCrop 2.2.11 library. If exploited, local attackers could leverage the improperly exported UCropActivity to access or manipulate app components, potentially leading to unauthorized data access, leakage of sensitive information, or disruption of app functionality. Although the attack requires local access, this could be achieved through malicious apps installed on user devices or by attackers with physical access. This risk is heightened in sectors with sensitive mobile app usage such as finance, healthcare, and government services. The lack of vendor response and patch availability increases the window of exposure. Additionally, organizations relying on third-party apps embedding uCrop may face indirect risks. The medium severity and local attack vector limit widespread impact but still pose a tangible threat to confidentiality and integrity of mobile app data and operations within European enterprises.

European organizations and developers should immediately audit their Android applications for usage of uCrop version 2.2.11 or earlier. They should inspect the AndroidManifest.xml files to verify that only necessary components are exported, explicitly setting android:exported="false" for components that do not require external access, especially UCropActivity. If possible, update to a patched or newer version of uCrop once available. Until a patch is released, consider applying custom patches or workarounds such as overriding the manifest exports during build time. Employ runtime application self-protection (RASP) techniques to monitor and block unauthorized component interactions. Educate users to avoid installing untrusted local apps that could exploit this vulnerability. For organizations distributing apps internally, enforce strict app vetting and device management policies to reduce local attack risks. Finally, monitor threat intelligence feeds for any emerging exploits targeting this vulnerability to respond promptly.