EUVD-2025-17558
GHSA-fj44-h6xw-896g
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools.
Analysis
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and Base64-encoded secrets are stored as plaintext in compiled native binaries, allowing attackers with network access to extract these credentials via static analysis of the binary. This affects all applications using the vulnerable library version, and the high CVSS score of 7.5 reflects the ease of exploitation (no authentication required) and significant confidentiality impact, though the practical risk depends on whether secrets are actually embedded at build time and the sensitivity of exposed data.
Technical Context
react-native-keys is a React Native library for managing cryptographic keys and secrets. The vulnerability stems from CWE-312 (Cleartext Storage of Sensitive Information), where the library fails to implement proper secret management practices during the native binary compilation process. Instead of securely deriving keys at runtime or using platform-specific secure storage mechanisms (iOS Keychain, Android Keystore), the library embeds encryption cipher material and Base64-encoded key chunks directly into the compiled native binary artifacts (.so files on Android, frameworks on iOS). This makes secrets statically recoverable through simple binary analysis tools like strings, objdump, or radare2, defeating the entire purpose of using a key management library. The root cause is architectural: the library performs key initialization or storage at compile-time rather than leveraging runtime secure storage APIs.
Affected Products
CPE: cpe:2.3:a:react-native-keys:react-native-keys:0.7.11:*:*:*:*:*:*:* (exact version specified in CVE). All applications and products built with react-native-keys version 0.7.11 are affected, including but not limited to: mobile applications using Expo or bare React Native workflows that include this dependency. The vulnerability affects both iOS and Android platforms. Versions prior to 0.7.11 may have similar issues; versions after 0.7.11 should be checked for availability of a patched release. No vendor advisory URL was provided in the CVE data, suggesting this may be a community-discovered or independently disclosed vulnerability; researchers should check the react-native-keys GitHub repository (github.com/react-native-keys/react-native-keys or similar) for patch availability and release notes.
Remediation
Immediate actions: (1) Audit your application's package.json and lock files to identify if react-native-keys version 0.7.11 is a direct or transitive dependency; (2) Check the official react-native-keys repository for a patched version (likely 0.7.12 or later, or a major version update); (3) Upgrade to the latest patched version with `npm update react-native-keys` or `yarn upgrade react-native-keys`, then rebuild native binaries; (4) For applications already in production with 0.7.11, prioritize releasing an updated version to app stores with the patched library. Workarounds (if no patch available immediately): (a) Migrate to alternative key management solutions that properly use platform-specific secure storage (iOS Keychain via react-native-keychain, Android Keystore via react-native-keystore or similar); (b) Refactor the application to load sensitive secrets from a secure remote backend at runtime rather than embedding them at build time; (c) Use obfuscation tools as a short-term mitigation, though this does not eliminate the vulnerability. Long-term: adopt secure coding practices such as never storing plaintext secrets in binaries, leveraging native platform security APIs, and conducting regular security audits of dependency chains.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today