Yalantis uCrop Server-Side Request Forgery Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Yalantis uCrop version 2.2.11. The issue arises in the 'downloadFile' function within 'com.yalantis.ucrop.task.BitmapLoadTask.java', specifically in the URL handling component. This vulnerability allows remote exploitation by manipulating input, leading the server to make unintended requests.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server is tricked into making requests to internal or external resources on behalf of the attacker. This could potentially be used to access sensitive information or services that are not normally exposed to the public.

Added: Dec 11, 2025, 2:19 PM

Updated: Dec 11, 2025, 2:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Yalantis uCrop Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating