Improper Removal of Sensitive Information Before Storage or Transfer Affecting io.sentry:sentry-android-replay package, versions [,8.14.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-IOSENTRY-10487985
- published20 Jun 2025
- disclosed20 Jun 2025
- creditJoseph Van der Wee
Introduced: 20 Jun 2025
New CVE NOT AVAILABLE CWE-212 (opens in a new tab)How to fix?
Upgrade io.sentry:sentry-android-replay to version 8.14.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the ComposeViewHierarchyNode object. An attacker can access unmasked sensitive data by reviewing Android session replays that include text composables.
Note:
This is only exploitable if Jetpack Compose version 1.8.0-alpha08 or higher is used and Sentry Session Replays for Android are configured.
Workaround
This vulnerability can be mitigated by downgrading Jetpack Compose to version 1.7.x or lower, or by setting session replay sample rates to 0.0.
PoC
- Enable session replay like so:
<meta-data
android:name="io.sentry.session-replay.on-error-sample-rate"
android:value="1.0" />
<meta-data
android:name="io.sentry.session-replay.session-sample-rate"
android:value="0.1" />
- Display Material 3 Text composable e.g.:
@Composable
private fun HelloText() {
androidx.compose.material3.Text("Hello")
}