Hello, this is arrester. On June 10th, I reported the issue to the official uCrop GitHub repository using the Security tab and even tagged the person in charge during the process, but since I still haven’t received a response, I am now submitting it to VulDB.
The uCrop library is vulnerable to a Critical Server-Side Request Forgery (SSRF) and a Medium severity Intent Spoofing. An attacker can exploit the SSRF vulnerability by supplying a malicious URL to the uCrop image cropping component. This forces the application to make arbitrary network requests on behalf of the user, leading to internal network scanning and potential data exfiltration from sensitive internal endpoints. Additionally, the UCropActivity is exported, allowing malicious applications to launch it out of context, leading to potential UI redressing or denial of service.
1. Critical - Server-Side Request Forgery (SSRF) (CWE-918)
The core of the SSRF vulnerability lies in the com.yalantis.ucrop.task.BitmapLoadTask class. When a URI is passed to uCrop to be processed, the processInputUri method checks the URI scheme.
If the scheme is http or httpshttps, the URI is passed to the downloadFile method.
// In com.yalantis.ucrop.task.BitmapLoadTask.java
private boolean processInputUri() throws NullPointerException, IOException {
// ...
String scheme = mInputUri.getScheme();
Log.d(TAG, "Uri scheme: " + scheme);
if ("http".equals(scheme) || "https".equals(scheme)) {
try {
downloadFile(mInputUri, mOutputUri);
} catch (NullPointerException | IOException e) {
Log.e(TAG, "Downloading failed", e);
return false;
}
}
// ...
}
The downloadFile method then proceeds to make a network request to the given URI using OkHttpClient without any validation or restriction on the target URL.
// In com.yalantis.ucrop.task.BitmapLoadTask.java
private void downloadFile(@NonNull Uri inputUri, @NonNull Uri outputUri) throws NullPointerException, IOException {
// ...
OkHttpClient client = new OkHttpClient(); // A new client is created
Request request = new Request.Builder().url(inputUri.toString()).build();
Response response = client.newCall(request).execute(); // The request is executed here
// ...
}
There is no check to prevent requests to internal IP addresses (e.g., 127.0.0.1, 192.168.x.x) or metadata services (e.g., 169.254.169.254). An attacker can thus craft a URL pointing to an internal service, and the application using the uCrop library will execute the request.
2. Medium - Intent Spoofing / Unauthorized Activity Launch (CWE-926)
The UCropActivity is declared in the library's AndroidManifest.xml with android:exported="true". This allows any application on the device to create an Intent and start this activity directly. A malicious application could potentially launch UCropActivity with crafted Intent data to perform UI redressing attacks, confuse the user, or cause a denial of service by repeatedly launching the activity.
Additionally, there is no input value validation for sourceUri and destinationUri in Ucrop.of. Therefore, if the user is allowed to input an image URL, an SSRF vulnerability may occur, and if a value is included in the startActivity function after passing through the Uri, an Intent Redirection vulnerability may also occur.