react-native-keys insecurely stores encryption cipher and Base64 chunks

Severity:: High

Description

react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.7.11

References

GHSA-fj44-h6xw-896g
CVE-2025-45001
CWE-312
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Credential leak in react-native-fast-image - CVE-2020-7696
Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers - CVE-2025-31137
The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
react-native-mmkv Insertion of Sensitive Information into Log File vulnerability - CVE-2024-21668

Tags:: npm; react-native-keys

Anything's wrong? Let us know Last updated on July 02, 2025