AIKIDO-2026-10692
react-native-sensitive-info is vulnerable to Insufficient Verification of Data Authenticity
32
Low Risk
This Affects:
react-native-sensitive-infoTL;DR
The legacy release line relied on AES-GCM alone for ciphertext authenticity with weaker binding between stored metadata and payloads, so tampering or swapping encrypted blobs could alter how entries decrypt relative to their advertised policy without an independent integrity check. JavaScript accepted arbitrarily shaped or oversized keys and values before native encryption and biometric prompts ran. The Nitro-based major release computes an HMAC-SHA256 tag over metadata and ciphertext with constant-time verification that raises IntegrityViolationError before user authentication UI, tightens Android AAD binding to the logical entry identity, and validates inputs early so invalid payloads never reach native backends.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
react-native-sensitive-info is vulnerable to Insufficient Verification of Data Authenticity in versions 1.0.0 - 5.6.2.
How to fix this
Upgrade the react-native-sensitive-info library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant