Published:2020/07/08  Last Updated:2020/07/09

Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of Java object


Android App "Mercari" (Japan version) contains a vulnerability allowing arbitrary method execution of a Java object.

Products Affected

  • Android App "Mercari" (Japan version) prior to version 3.52.0
According to the developer, affected versions are no longer used at this point because the update was applied automatically when the application was launched in the past.


Android App "Mercari" (Japan version) provided by Mercari, Inc. contains vulnerability which may allow arbitrary Java method execution (CWE-749) due to inadequate restrictions on addJavascriptInterface of WebView class.


An arbitrary method of a Java object may be executed by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.


Update the Application
This vulnerability is addressed by updating the application to the latest version.
According to the developer, there is no need for users to take any actions since the application is automatically updated when it is launched, and the affected API level is no longer in use in the current versions of the application.

Vendor Status

Vendor Status Last Update Vendor Notes
Mercari, Inc. Vulnerable 2020/07/08


JPCERT/CC Addendum

This JVN publication was delayed to 2020/07/08 after the developer fix was developed. From the fiscal year 2011, JPCERT/CC is using a new vendor coordination procedure. This new procedure came from the recommendation of the fiscal year 2010 "Study Group on Information System Vulnerability Handling" aimed at more timely JVN publications.

Vulnerability Analysis by JPCERT/CC

Base Score: 5.0
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 5.1
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


Taichi Kotake of Akatsuki Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2020-5604
JVN iPedia JVNDB-2020-000043

Update History

Modified some descriptions in this advisory
Fixed some typos in this advisory