The vulnerability identified as CVE-2025-65835 affects the Cordova plugin cordova-plugin-x-socialsharing version 6.0.4 on Android platforms. This plugin registers an exported broadcast receiver named nl.xservices.plugins.ShareChooserPendingIntent that listens for intents with the action android.intent.action.SEND. The onReceive method of this receiver accesses the Intent.EXTRA_CHOSEN_COMPONENT extra without verifying its presence, leading to a potential null pointer dereference if the extra is missing. Because the broadcast receiver is exported and does not enforce any permission or caller validation, any local application on the device can send a crafted broadcast intent lacking the EXTRA_CHOSEN_COMPONENT extra. This causes the host application embedding the plugin to crash repeatedly due to unhandled NullPointerExceptions, resulting in a denial of service at the application level. The vulnerability is classified under CWE-476 (NULL Pointer Dereference). The CVSS v3.1 score is 6.2, with vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that the attack requires local access but no privileges or user interaction, and impacts availability only. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability primarily affects the availability of apps using this plugin on Android devices, potentially disrupting user experience and business operations relying on these apps.

For European organizations, the primary impact of CVE-2025-65835 is a local denial of service affecting Android applications that include the vulnerable cordova-plugin-x-socialsharing plugin. This can lead to repeated crashes of critical mobile applications, disrupting business processes, customer interactions, and internal workflows that depend on these apps. While the vulnerability does not compromise confidentiality or integrity, the loss of availability can cause operational delays, reputational damage, and increased support costs. Sectors with high reliance on mobile apps, such as finance, retail, healthcare, and public services, may experience significant disruption. Additionally, organizations with Bring Your Own Device (BYOD) policies may face increased risk as local apps on user devices could be exploited to crash corporate apps. The requirement for local access limits remote exploitation but insider threats or malicious apps installed on devices could trigger the vulnerability. The absence of user interaction requirement means the attack can be automated once local access is obtained.

To mitigate CVE-2025-65835, organizations should: 1) Update the cordova-plugin-x-socialsharing plugin to a patched version once available that properly validates the presence of Intent.EXTRA_CHOSEN_COMPONENT before dereferencing it. 2) If no patch is available, implement custom input validation in the app code to check intent extras before processing. 3) Restrict the exported broadcast receiver by setting android:exported="false" or applying permission checks to prevent unauthorized apps from sending crafted broadcasts. 4) Employ mobile application management (MAM) solutions to control which apps can be installed and restrict potentially malicious local apps. 5) Educate users about the risks of installing untrusted apps that could exploit local broadcast receivers. 6) Monitor app crash logs and device behavior for signs of repeated crashes that may indicate exploitation attempts. 7) For developers, follow secure coding practices to validate all intent extras and avoid null pointer dereferences. 8) Consider implementing runtime application self-protection (RASP) to detect and mitigate abnormal intent handling. These steps go beyond generic advice by focusing on broadcast receiver exposure and local app controls specific to this vulnerability.