CVE-2025-65835

Name of the Vulnerable Software and Affected Versions cordova-plugin-x-socialsharing version 6.0.4

Description The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA CHOSEN COMPONENT without checking for null. If a broadcast is sent with extras present but without EXTRA CHOSEN COMPONENT, the code dereferences a null value, resulting in a NullPointerException. Because the receiver is exported and lacks permission or caller validation, any local application can send crafted ACTION SEND broadcasts to crash the host application, leading to a local, unauthenticated application-level denial of service.

Recommendations Update to a newer version that contains a fix for this vulnerability.