Listen to this Post
How CVE-2025-45001 Works
The vulnerability in react-native-keys 0.7.11 stems from improper handling of encryption materials during the build process. When developers use this library for secure key storage, the encryption cipher specifications and Base64-encoded key chunks are embedded as plaintext strings within the compiled native binary (either Android .apk or iOS .ipa). Attackers can use basic static analysis tools like strings, jadx, or Ghidra to extract these sensitive components. The exposed materials allow reconstruction of encryption keys without requiring runtime access or privileged permissions.
DailyCVE Form
Platform: React-Native
Version: 0.7.11
Vulnerability: Info Disclosure
Severity: Critical
Date: 06/23/2025
Prediction: Patch by 07/15/2025
What Undercode Say
$ strings libnative.so | grep -i "AES|BASE64" $ jadx --deobf app-release.apk $ ghidra analyzeHeadless -import app.ipa
How Exploit
1. Download target APK/IPA
2. Extract binaries
3. Search for crypto strings
4. Rebuild keys
Protection from this CVE
1. Upgrade library
2. Obfuscate builds
3. Use NDK protections
Impact
1. Credential theft
2. Data decryption
3. API abuse
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
