CVE-2024-21668

Name of the Vulnerable Software and Affected Versions react-native-mmkv versions prior to 2.11.0

Description The react-native-mmkv library logged the optional encryption key for the MMKV database into the Android system log before version 2.11.0. This allowed anyone with access to the Android Debugging Bridge (ADB) to obtain the key if ADB was enabled in the phone settings. The issue is not present on iOS devices. By logging the encryption secret, attackers could recover the secret and undermine an app's thread model. The encryption of an MMKV database protects data from higher privilege processes on the phone and also encrypts data in potential backups.

Recommendations For versions prior to 2.11.0, update to version 2.11.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of the encryption key or restricting access to the Android Debugging Bridge (ADB) until the update is applied.