CVE-2025-45001 – react-native-keys

Package

Manager: npm
Name: react-native-keys
Vulnerable Version: >=0 <=0.7.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00015 pctl0.02104

Details

react-native-keys insecurely stores encryption cipher and Base64 chunks react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools.

Metadata

Created: 2025-06-09T18:32:16Z
Modified: 2025-07-02T19:46:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-fj44-h6xw-896g/GHSA-fj44-h6xw-896g.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-fj44-h6xw-896g
Finding: F020
Auto approve: 1