CVE-2025-14698

Root

Cause

The vulnerability resides in the gallery.photogallery.pictures.vault.album.GalleryWelcomeActivity1 component of the Galleryit – Photo Vault, Album app (version 1.3.8.2) on Android. The app fails to properly validate file paths when handling imported files via an Intent.ACTION_VIEW with a content URI. By manipulating the _display_name parameter with path traversal sequences (e.g., ../../), an attacker can direct the file write operation to arbitrary locations within the app's internal storage [1].

Exploitation

Exploitation requires a malicious app installed on the same device that sends a crafted intent to the vulnerable component. The attacker controls both the filename (via path traversal) and the file content. No complex user interaction is needed; the attack triggers automatically when the victim opens the malicious app. The proof-of-concept demonstrates a proof-of-concept that overwrites the AwOriginVisitLoggerPrefs.xml shared preferences file [1].

Impact

Successful exploitation allows an attacker to overwrite critical configuration files, such as shared preferences or executable code. This can lead to arbitrary code execution, exposure of sensitive information, denial of service, or other severe security impacts depending on the overwritten file [1].

Mitigation

The vendor (BETTER FITNESS LIMITED) was contacted but did not respond. As of the publication date, no patch or workaround has been released. Users should consider removing the app or restricting its permissions until a fix is available [1].