Vulnerability Description
The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without checking for null. If a broadcast is sent with extras present but without EXTRA_CHOSEN_COMPONENT, the code dereferences a null value and throws a NullPointerException. Because the receiver is exported and performs no permission or caller validation, any local application on the device can send crafted ACTION_SEND broadcasts to this component and repeatedly crash the host application, resulting in a local, unauthenticated application-level denial of service for any app that includes the plugin.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eddyverbruggen | Cordova Social Sharing | 6.0.4 |
| Android | - |
Related Weaknesses (CWE)
References
- https://github.com/EddyVerbruggen/SocialSharing-PhoneGap-PluginProduct
- https://medium.com/@lcrawfqrd/local-dos-via-exported-receivers-f6b1da10d3b7ExploitThird Party Advisory
- https://www.npmjs.com/package/cordova-plugin-x-socialsharingProduct
FAQ
What is CVE-2025-65835?
CVE-2025-65835 is a vulnerability with a CVSS score of 6.2 (MEDIUM). The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an and...
How severe is CVE-2025-65835?
CVE-2025-65835 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-65835?
Check the references section above for vendor advisories and patch information. Affected products include: Eddyverbruggen Cordova Social Sharing, Google Android.