react-native-mmkv Insertion of Sensitive Information into Log File vulnerability
- Severity:
- Medium
Description
Before version v2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. This bug is not present on iOS devices.
Recommendation
Update the react-native-mmkv package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.11.0
- Patched version(s): 2.11.0
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) 3 - CVE-2019-1010266
- Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
- Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify - Vulnerability
- thlorenz browserify-shim vulnerable to prototype pollution (GHSA-r737-347m-wqc7) - CVE-2022-37621
- Tags:
- npm
- react-native-mmkv
Anything's wrong? Let us know Last updated on January 19, 2024