AIKIDO-2025-10113
stripeterminal-core is vulnerable to Improper Restriction of Rendered UI Layers or Frames
32
Low Risk
This Affects:
stripeterminal-coreTL;DR
Affected versions of this package are vulnerable to Cloak & Dagger attacks, a class of exploits targeting Android devices. These attacks allow a malicious app to fully control the UI feedback loop, effectively taking over the device without the user noticing any malicious activity. The attack requires only two permissions that, when the app is installed from the Play Store, do not require explicit user approval or notification. These vulnerabilities affect Android versions up to Android 12. From Android 12 onward, the HIDE_OVERLAY_WINDOWS permission allows apps to prevent overlay attacks by opting out of application overlays. The patched version implements this protection to mitigate the issue.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
stripeterminal-core is vulnerable to Improper Restriction of Rendered UI Layers or Frames in versions 2.0.0 - 4.1.0.
How to fix this
Upgrade the com.stripe:stripeterminal-core library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant