CVE-2025-65835

low-risk
Published 2025-12-15

The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without checking for null. If a broadcast is sent with extras present but without EXTRA_CHOSEN_COMPONENT, the code dereferences a null value and throws a NullPointerException. Because the receiver is exported and performs no permission or caller validation, any local application on the device can send crafted ACTION_SEND broadcasts to this component and repeatedly crash the host application, resulting in a local, unauthenticated application-level denial of service for any app that includes the plugin.

Do I need to act?

-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.2/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Cordova Social Sharing

Affected Vendors

Eddyverbruggen

References (3)

Product https://github.com/EddyVerbruggen/SocialSharing-PhoneGap-Plugin
Exploit https://medium.com/@lcrawfqrd/local-dos-via-exported-receivers-f6b1da10d3b7
Product https://www.npmjs.com/package/cordova-plugin-x-socialsharing
25
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal