CVE-2025-10184 PoC — OnePlus OxygenOS Telephony provider permission bypass

Source

https://github.com/Webpage-gh/CVE-2025-10184-PoC

Associated Vulnerability

Title:OnePlus OxygenOS Telephony provider permission bypass (CVE-2025-10184)
Description:The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers.

Description

OxygenOS Telephony provider permission bypass

File Snapshot


 [4.0K]  /data/pocs/a404c1fc8023784d04a02449680efbb4dc07eb6f
├── [4.0K]  app
│   ├── [ 953]  build.gradle
│   ├── [ 751]  proguard-rules.pro
│   └── [4.0K]  src
│       ├── [4.0K]  androidTest
│       │   └── [4.0K]  java
│       │       └── [4.0K]  poc
│       │           └── [4.0K]  chutchut
│       │               └── [4.0K]  cpblindsqli
│       │                   └── [ 775]  ExampleInstrumentedTest.java
│       ├── [4.0K]  main
│       │   ├── [ 754]  AndroidManifest.xml
│       │   ├── [4.0K]  java
│       │   │   └── [4.0K]  poc
│       │   │       └── [4.0K]  chutchut
│       │   │           └── [4.0K]  cpblindsqli
│       │   │               ├── [ 13K]  MainActivity.java
│       │   │               └── [9.3K]  QueryParser.java
│       │   └── [4.0K]  res
│       │       ├── [4.0K]  drawable
│       │       │   └── [5.5K]  ic_launcher_background.xml
│       │       ├── [4.0K]  drawable-v24
│       │       │   └── [1.7K]  ic_launcher_foreground.xml
│       │       ├── [4.0K]  layout
│       │       │   └── [1.8K]  activity_main.xml
│       │       ├── [4.0K]  mipmap-anydpi-v26
│       │       │   ├── [ 272]  ic_launcher_round.xml
│       │       │   └── [ 272]  ic_launcher.xml
│       │       ├── [4.0K]  mipmap-hdpi
│       │       │   ├── [3.5K]  ic_launcher.png
│       │       │   └── [5.2K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-mdpi
│       │       │   ├── [2.6K]  ic_launcher.png
│       │       │   └── [3.3K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-xhdpi
│       │       │   ├── [4.8K]  ic_launcher.png
│       │       │   └── [7.3K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-xxhdpi
│       │       │   ├── [7.7K]  ic_launcher.png
│       │       │   └── [ 12K]  ic_launcher_round.png
│       │       ├── [4.0K]  mipmap-xxxhdpi
│       │       │   ├── [ 10K]  ic_launcher.png
│       │       │   └── [ 16K]  ic_launcher_round.png
│       │       └── [4.0K]  values
│       │           ├── [ 208]  colors.xml
│       │           ├── [  74]  strings.xml
│       │           └── [ 383]  styles.xml
│       └── [4.0K]  test
│           └── [4.0K]  java
│               └── [4.0K]  poc
│                   └── [4.0K]  chutchut
│                       └── [4.0K]  cpblindsqli
│                           └── [ 396]  ExampleUnitTest.java
├── [ 564]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 53K]  gradle-wrapper.jar
│       └── [ 232]  gradle-wrapper.properties
├── [1.0K]  gradle.properties
├── [5.2K]  gradlew
├── [2.2K]  gradlew.bat
└── [  46]  settings.gradle

31 directories, 32 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!