Unsecured Broadcast Receiver in Bluebird Devices Exposes File Overwriting Vulnerability
CVE-2025-5346

5.1MEDIUM

Key Information:

Vendor: Bluebird
Status: Kr.co.bluebird.android.bbsettings
Vendor: CVE Published:; 17 July 2025

What is CVE-2025-5346?

The Bluebird barcode scanner application has a critical security flaw due to an unsecured broadcast receiver, which allows local attackers to exploit the system. Attackers can leverage this vulnerability to overwrite files containing the '.json' keyword using a default barcode configuration file. This issue stems from a lack of protection against path traversal, permitting attackers to specify arbitrary locations for file manipulation. All versions prior to 1.3.3 are affected, rendering them susceptible to potential misuse.

Affected Version(s)

kr.co.bluebird.android.bbsettings Android 0 < 1.3.3

References

https://cert.pl/en/posts/2025/07CVE-2025-5344

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2025
Vulnerability Reserved
May 30, 2025

Credit

Szymon Chadam