aikido.dev Secure My Code

Intel/AIKIDO-2026-10992

AIKIDO-2026-10992

@sentry/react-native is vulnerable to Relative Path Traversal

Relative Path Traversal Pre-CVE Published 4 days ago

59

Medium Risk

This Affects:

@sentry/react-native

1.0.0 - 8.9.2

Fixed in 8.11.1

Are you affected? Scan for Free

TL;DR

The @sentry/react-native native getDataFromUri bridge could read file and content URIs outside the app's allowed storage roots when given attacker-influenced paths. Metro dev middleware and web release constant injection also lacked path containment or proper escaping, enabling directory escape during development and script injection in generated bundles. Gradle upload logging could expose Sentry auth tokens when flavor-aware CLI arguments were enabled. The patch restricts URI targets, canonicalizes Metro paths, JSON-escapes injected release fields, and masks tokens in lifecycle logs.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@sentry/react-native is vulnerable to Relative Path Traversal in versions 1.0.0 - 8.9.2.

How to fix this

Upgrade the @sentry/react-native library to the patch version.

59

Medium Risk

This Affects:

@sentry/react-native

1.0.0 - 8.9.2

Fixed in 8.11.1

Are you affected? Scan for Free

Links

github.com/getsentry/sentry-react-native/releases/tag/8.10.0

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Free. No credit card required.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done