react-native-keys insecurely stores encryption cipher and Base64 chunks

Severity:: High

Description

react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.7.11

References

GHSA-fj44-h6xw-896g
CVE-2025-45001
CWE-312
CAPEC-310
OWASP 2021-A4
OWASP 2021-A6

Related Issues

Credential leak in react-native-fast-image - CVE-2020-7696
React Router has XSS Vulnerability - CVE-2025-59057
React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
React Router has Path Traversal in File Session Storage - CVE-2025-61686

Tags:: npm; react-native-keys

Anything's wrong? Let us know Last updated on July 02, 2025