React Native Receive Sharing Intent
Monthly
Arbitrary file overwrite in the react-native-receive-sharing-intent library (ajith-ab) lets a co-resident malicious Android app write attacker-controlled content outside the intended cache directory into the consuming app's private data. The flaw stems from trusting a ContentProvider-supplied _display_name containing dot-dot sequences, enabling overwrite of databases, shared preferences, and cached config. Publicly available exploit code exists (reported by VulnCheck); no active exploitation has been reported in CISA KEV.
Arbitrary file overwrite in the react-native-receive-sharing-intent library (ajith-ab) lets a co-resident malicious Android app write attacker-controlled content outside the intended cache directory into the consuming app's private data. The flaw stems from trusting a ContentProvider-supplied _display_name containing dot-dot sequences, enabling overwrite of databases, shared preferences, and cached config. Publicly available exploit code exists (reported by VulnCheck); no active exploitation has been reported in CISA KEV.