CVE-2025-48567Path Traversal in Packages Providers Mediaprovider

CWE-22Path Traversal5 documents5 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 99.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Packages Providers MediaproviderGoogle Android
Timeline
PublishedMar 2

Description

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

Androidplatform/packages_providers_mediaprovider16-qpr2-next:016-qpr2-next:2026-03-01+3
CVEListV5google/android14, 15, 16+2
NVDgoogle/android14.0, 15.0, 16.0+2

🔴Vulnerability Details

3
CVEList
CVE-2025-48567: In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode n2026-03-02
GHSA
GHSA-j9x2-6wwj-w3x6: In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode n2026-03-02
OSV
CVE-2025-48567: In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode n2026-03-01

🕵️Threat Intelligence

1
Wiz
CVE-2025-48567 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-48567 — Path Traversal | cvebase