Skip to content
Medium Published: Dec 15, 2025 Modified: Dec 15, 2025

CVE-2025-65835

6.2 CVSS Score Medium
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Export CVE-2025-65835 Data:
Share:
Link copied!

Description

The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without checking for null. If a broadcast is sent with extras present but without EXTRA_CHOSEN_COMPONENT, the code dereferences a null value and throws a NullPointerException. Because the receiver is exported and performs no permission or caller validation, any local application on the device can send crafted ACTION_SEND broadcasts to this component and repeatedly crash the host application, resulting in a local, unauthenticated application-level denial of service for any app that includes the plugin.

CVSS Vector Details

Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Weaknesses (CWE)

  • CWE-476

References & External Links

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

Related Vulnerabilities

CVE-2001-1559 CVSS 5.5 Same weakness: CWE-476 CVE-2002-0401 CVSS 7.5 Same weakness: CWE-476 CVE-2002-1912 CVSS 7.5 Same weakness: CWE-476 CVE-2003-1000 CVSS 7.5 Same weakness: CWE-476 CVE-2003-1013 CVSS 7.5 Same weakness: CWE-476

CVE History Timeline

Dec 15, 2025 19:16 New CVE Received
Dec 15, 2025 20:15 CVE Modified
← Back to CVE Tracker