MAL-2025-4779 Malicious code in @react-native-aria/combobox (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 1ac997eb7889bb6aa988bf49e9beb198eb49629764c6fff1ac19cd4e8118b600 React Native ARIA and @gluestack-ui/utils had unauthorized new versions published that contained malicious code via a public access token...

MAL-2025-4778 Malicious code in @react-native-aria/checkbox (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security ddc6ca13c84757389a8703ee553981d86519fdeca6112152dc3bf344c98ea337 React Native ARIA and @gluestack-ui/utils had unauthorized new versions published that contained malicious code via a public access token...

Malicious code in react-native-atob (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4b91f4867862f09ae93e8c5413e74fc6e717d421419c933ef721bf15df14c6e5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4873 Malicious code in react-native-atob (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4b91f4867862f09ae93e8c5413e74fc6e717d421419c933ef721bf15df14c6e5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-F5XG-CFPJ-2MW6 taro-css-to-react-native Regular Expression Denial of Service vulnerability

A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely...

@agreejs/cli (>=0.0.1 <=3.2.43), @agreejs/rn-runner (>=3.2.1 <=3.2.15) +98 more potentially affected by CVE-2025-5896 via taro-css-to-react-native (>=1.3.0-beta.1 <=4.1.2-alpha.2)

taro-css-to-react-native NPM version =1.3.0-beta.1, =0.0.1, =3.2.1, =3.2.1, =1.0.0, =1.0.0, =1.0.0-alpha.1, =1.0.0-alpha.1, =1.0.0, =1.1.5, =1.0.0, =1.3.2 - @c-art/convert-cli =1.1.0 - @d-bigfish/cli =1.0.14 - @d1m-atom/taro-vue-cli =1.0.5 and more Source cves: CVE-2025-5896 Source advisory:...

GHSA-FJ44-H6XW-896G react-native-keys insecurely stores encryption cipher and Base64 chunks

react-native-keys 0.7.11 is vulnerable to sensitive information disclosure remote as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools...

CVE-2025-45001

react-native-keys 0.7.11 is vulnerable to sensitive information disclosure remote as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools...

CVE-2025-45001

react-native-keys 0.7.11 is vulnerable to sensitive information disclosure remote as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools...

NervJS taro 安全漏洞

NervJS taro is an open cross-end cross-framework solution open-sourced by NervJS. A security vulnerability exists in NervJS taro version 4.1.1 and earlier, which stems from an incorrect manipulation of the file taro/packages/css-to-react-native/src/index.js resulting in inefficient regular...

CVE-2025-45001

react-native-keys 0.7.11 is vulnerable to sensitive information disclosure remote as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools...

npm react-native-keys 安全漏洞

npm react-native-keys is a mobile environment variable security library from US-based npm. A security vulnerability exists in npm react-native-keys version 0.7.11, which stems from encrypted passwords and Base64 blocks being stored in plaintext in compiled native binaries, potentially leading to...

CVE-2025-45001

CVE-2025-45001 affects react-native-keys 0.7.11. The issue is that encryption cipher data and Base64 chunks are stored as plaintext in the compiled native binary, enabling leakage of secrets through basic static analysis. Documents consistently describe this as a remote information-disclosure vul...

PT-2025-24542 · Unknown · React-Native-Keys

Name of the Vulnerable Software and Affected Versions: react-native-keys version 0.7.11 Description: The issue concerns sensitive information disclosure, where encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basi...

MAL-2025-4612 Malicious code in react-native-google-acm (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3987a453bfe3f7164232221b3a1a0f9c3c182a6581cf7a9241f4fbb7e77af649 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4576 Malicious code in react-native-xaml-repo (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d64cdbdbf3b2ec9cf523f3b4b0b787c947b6c50c2d4d42bf96c13cd906d84c9f Any computer that has this package installed or running should be considered...

Malicious code in react-native-xaml-repo (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d64cdbdbf3b2ec9cf523f3b4b0b787c947b6c50c2d4d42bf96c13cd906d84c9f Any computer that has this package installed or running should be considered...

CVE-2024-21668

react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging...

CVE-2024-25466

Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component...

CVE-2023-23556

An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. Note that this bug is only exploitable in cases where Hermes is used to execute untrusted...