CVE-2021-4438 in react-native-sms-user-consent
Summary
by MITRE • 04/07/2024
A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function registerReceiver of the file android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2025
This critical vulnerability exists in the kyivstarteam react-native-sms-user-consent library version 1.1.4 and earlier on Android platforms, specifically affecting the registerReceiver function within the SmsUserConsentModule.kt file. The flaw represents a serious security weakness that allows for improper export of Android application components, creating potential attack vectors that could compromise the integrity and confidentiality of mobile applications. The vulnerability requires local attack capabilities, meaning an attacker must already have access to the device or application environment to exploit this weakness, which limits its scope but does not eliminate the risk entirely. The issue stems from inadequate component export controls that fail to properly restrict access to sensitive Android broadcast receivers, potentially allowing unauthorized applications or malicious code to intercept SMS-related broadcasts and user consent events.
The technical implementation of this vulnerability lies in how the library handles Android's broadcast receiver registration process, where the registerReceiver function fails to properly secure or restrict access to the registered components. This misconfiguration creates a situation where potentially malicious applications or code within the same application context can intercept SMS user consent events, leading to unauthorized access to sensitive information including SMS messages and user consent data. The vulnerability directly relates to CWE-276, which addresses improper permissions and access controls in software components, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter usage in exploitation scenarios. The improper export of Android components essentially creates a backdoor mechanism that allows unauthorized entities to monitor and potentially manipulate SMS user consent flows, which could lead to data theft, privacy violations, and unauthorized access to user communications.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally compromises the security model of applications that rely on this library for SMS user consent handling. Mobile applications using this library may inadvertently expose sensitive user data to malicious actors who can intercept SMS verification codes, authentication tokens, and other critical information used for user authentication and verification processes. The local attack requirement does not mitigate the risk significantly, as modern mobile applications often run with elevated privileges and may be vulnerable to various attack vectors including malicious code injection, application manipulation, or privilege escalation attacks that could provide the necessary local access. This vulnerability particularly affects applications that implement SMS-based authentication, two-factor authentication systems, and any application requiring user consent for SMS-related operations, potentially leading to account takeovers, data breaches, and unauthorized access to sensitive user information.
Security mitigations for this vulnerability require immediate action including upgrading to version 1.1.5 of the react-native-sms-user-consent library, which contains the patch identified by the commit hash 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. This upgrade addresses the improper export of Android application components by implementing proper access controls and restrictions on broadcast receiver registration. Organizations should conduct thorough security assessments of their applications that utilize this library, ensuring that no other vulnerable components exist within their codebase. Additionally, developers should implement proper security hardening practices including verification of all Android component exports, implementation of proper access control mechanisms, and regular security auditing of third-party libraries. The remediation process should also include monitoring for any potential exploitation attempts and ensuring that applications properly validate and sanitize all SMS-related inputs and outputs. Security teams should also consider implementing runtime application self-protection measures and monitoring for unauthorized access attempts to broadcast receivers, as this vulnerability could potentially be exploited in combination with other weaknesses in the application architecture.