CVE-2025-45001: react-native-keys insecurely stores encryption cipher and Base64 chunks

June 9, 2025 (updated July 2, 2025)

react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools.

References

gist.github.com/ch3tanbug/44aedff79dd5d2d6beadbffcd01e0de5
github.com/advisories/GHSA-fj44-h6xw-896g
github.com/ch3tanbug/vulnerability-research/tree/main/CVE-2025-45001
github.com/numandev1/react-native-keys
nvd.nist.gov/vuln/detail/CVE-2025-45001

Code Behaviors & Features

Detect and mitigate CVE-2025-45001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →