Listen to this Post
How the CVE Works
This vulnerability occurs in Android applications using Sentry’s session replay feature alongside Jetpack Compose (v1.8.0-alpha08+). Due to improper masking in text composables, sensitive user input (e.g., passwords, PII) may be captured and transmitted in session recordings. The flaw stems from Sentry’s failure to sanitize Compose UI elements before replay data serialization. Affected versions of `sentry-android` (<8.14.0) do not apply input masking rules to dynamic Compose components, exposing unredacted data to Sentry’s servers.
DailyCVE Form
Platform: Android
Version: <8.14.0
Vulnerability: Data exposure
Severity: Critical
Date: 2024-03-15
Prediction: Patch expected by 2024-04-10
What Undercode Say
logcat | grep "sentry_session_replay_leak"
implementation 'io.sentry:sentry-android:8.14.0'
How Exploit
- Capture session replays via Sentry.
- Extract unmasked text composables.
- Reconstruct sensitive user input.
Protection from this CVE
- Upgrade to `sentry-android` v8.14.0+.
- Disable session replays (
sampleRate=0.0). - Downgrade Jetpack Compose to v1.7.x.
Impact
- Unauthorized access to credentials/PII.
- Compliance violations (GDPR, CCPA).
- Reputational damage.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
