CVE-2024-32876

Name of the Vulnerable Software and Affected Versions NewPipe versions 0.13.4 through 0.26.1

Description The issue arises from the import of backups in NewPipe, which uses Java's Object Serialization Stream Protocol. This can lead to Arbitrary Code Execution if a user imports a malicious backup file from an untrusted source. An attacker would need to persuade a user to import such a file, allowing the execution of malicious code, potentially crashing the app, stealing user data, or performing actions through Android APIs. The attack requires no additional privileges and can be independent of the user or device.

Recommendations To resolve the issue, update to NewPipe version 0.27.0, which restricts the classes that can be deserialized, deprecates backups serialized with Java's Object Serialization Stream Protocol, and uses JSON serialization for new backups. As a temporary workaround, consider avoiding the import of backups from untrusted sources to minimize the risk of exploitation.