CVE-2024-32876 – NewPipe has potential security vulnerability when importing settings

https://notcve.org/view.php?id=CVE-2024-32876

24 Apr 2024 — NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in Arbitrary Code Execution. This is because backups are serialized/deserialized using Java's Object Serialization Stream Protocol, which can allow constructing any class in the app, unless properly restricted. To exploit t... • https://docs.oracle.com/javase/6/docs/platform/serialization/spec/protocol.html • CWE-502: Deserialization of Untrusted Data •