CVE-2025-45001 is a high-severity vulnerability affecting the react-native-keys library version 0.7.11. The vulnerability involves sensitive information disclosure due to the insecure storage of encryption-related secrets within the compiled native binary. Specifically, the encryption cipher and Base64-encoded chunks are embedded as plaintext in the binary, making them accessible through straightforward static analysis techniques without requiring any authentication or user interaction. This flaw corresponds to CWE-312, which concerns the cleartext storage of sensitive information. An attacker with access to the compiled application binary can extract these secrets, potentially compromising the confidentiality of encrypted data or enabling further attacks that rely on knowledge of the encryption parameters. The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low complexity, no privileges or user interaction required, and a high impact on confidentiality, but no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because react-native-keys is used in mobile applications built with React Native, which are widely deployed across platforms and industries. The exposure of encryption keys or ciphers undermines the security guarantees of any cryptographic protections implemented using this library, potentially leading to data breaches or unauthorized data access.

For European organizations, this vulnerability poses a substantial risk, especially those developing or deploying mobile applications using React Native that incorporate react-native-keys 0.7.11. The exposure of encryption secrets can lead to unauthorized access to sensitive user data, intellectual property, or internal communications. This is particularly critical for sectors handling personal data under GDPR regulations, such as finance, healthcare, and telecommunications, where data confidentiality is paramount. Exploitation could result in data breaches triggering regulatory penalties, reputational damage, and loss of customer trust. Furthermore, attackers could leverage the disclosed secrets to decrypt communications or stored data, facilitating further lateral movement or targeted attacks. Since the vulnerability does not require user interaction or privileges, attackers can remotely analyze distributed app binaries, increasing the attack surface. The lack of patches means organizations must proactively mitigate risk to avoid exposure. Given the widespread adoption of React Native in European app development, the potential impact is broad, affecting both private enterprises and public sector applications.

To mitigate this vulnerability, European organizations should: 1) Immediately audit their mobile applications to identify usage of react-native-keys version 0.7.11 or earlier. 2) If feasible, upgrade to a patched or newer version of the library once available; if no patch exists, consider removing or replacing the library with a secure alternative that does not embed secrets in plaintext. 3) Implement secure key management practices, such as storing encryption keys in secure hardware modules or using platform-specific secure storage APIs (e.g., Android Keystore, iOS Keychain) rather than embedding keys in binaries. 4) Employ code obfuscation and binary hardening techniques to increase the difficulty of static analysis extraction. 5) Monitor application distributions and repositories for unauthorized versions or tampered binaries. 6) Conduct regular security reviews and penetration testing focused on mobile app cryptography implementations. 7) Educate developers on secure coding practices related to cryptographic key handling to prevent similar issues in future releases. These steps go beyond generic advice by focusing on secure key storage, proactive code auditing, and developer awareness tailored to the specifics of this vulnerability.