Describe the bug
The react-native-config-encrypted package uses an outdated version of crypto-js (3.1.9-1), which contains two known vulnerabilities:
- CVE-2023-46233 - Use of Weak Hash (
crypto-js < 4.2.0)
- CVE-2020-36732 - Insecure Randomness (
crypto-js >= 3.2.0 < 3.2.1)
These issues could weaken the security of encrypted environment variables, making them potentially susceptible to attacks.
To Reproduce
- Install
react-native-config-encrypted in a project.
- Check the
package.json and yarn.lock/package-lock.json to verify the crypto-js version.
- Observe that
crypto-js version is 3.1.9-1, which is outdated and vulnerable.
Expected behavior
The package should use a secure version of crypto-js (at least 4.2.0) to mitigate known security risks.
Smartphone (please complete the following information):
N/A
Additional context
Suggested Fix
Upgrade crypto-js to 4.2.0 or later to resolve the known security vulnerabilities.
References:
Thank you for maintaining this package! Looking forward to your response.
Describe the bug
The
react-native-config-encryptedpackage uses an outdated version ofcrypto-js(3.1.9-1), which contains two known vulnerabilities:crypto-js < 4.2.0)crypto-js >= 3.2.0 < 3.2.1)These issues could weaken the security of encrypted environment variables, making them potentially susceptible to attacks.
To Reproduce
react-native-config-encryptedin a project.package.jsonandyarn.lock/package-lock.jsonto verify thecrypto-jsversion.crypto-jsversion is3.1.9-1, which is outdated and vulnerable.Expected behavior
The package should use a secure version of
crypto-js(at least 4.2.0) to mitigate known security risks.Smartphone (please complete the following information):
N/A
Additional context
Suggested Fix
Upgrade
crypto-jsto 4.2.0 or later to resolve the known security vulnerabilities.References:
Thank you for maintaining this package! Looking forward to your response.