GHSA-7cjh-xx4r-qh3f

Source

https://github.com/advisories/GHSA-7cjh-xx4r-qh3f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-7cjh-xx4r-qh3f/GHSA-7cjh-xx4r-qh3f.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-7cjh-xx4r-qh3f

Published

2025-06-20T13:28:26Z

Modified

2025-06-20T20:08:08.119505Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

sentry-android unmasked sensitive data in Android Session Replays for users of Jetpack Compose 1.8+

Details

Impact

Under specific circumstances, text composables may contain unmasked sensitive data in Android session replays. You may be impacted if you meet the following conditions: - Using any sentry-android with versions < 8.14.0 - Using Jetpack Compose >= 1.8.0-alpha08 - This includes any alpha, beta, release candidate, or general availability after this version - Have configured Sentry Session Replays for Android

[!IMPORTANT] If you do not use Jetpack Compose or have never used a version >= 1.8.0-alpha08 you are not impacted.

[!IMPORTANT] If you have not configured Session Replays for Mobile you are not impacted.

How do I check if I'm impacted?

If you meet the conditions above, the sentry-android package includes a specific error log that would indicate you may be impacted. Customers may use logcat to search for this event.

I'm impacted and want this data deleted

If you've confirmed that you're affected and unmasked sensitive data in Session Replays have reached Sentry servers, you can please see this documentation on deleting individual replays. If you'd like to request bulk deletion, please reach out to your Account Manager or support@sentry.io to request deletion.

Patches

Upgrade the sentry-android SDK to version 8.14.0

Workarounds

We recommend upgrading to the latest version of the SDK, but if it is not an option, customers may either: - Downgrade their use of Jetpack Compose to <= 1.7.x - Drop session sample rates to 0.0

options.sessionReplay.onErrorSampleRate = 0.0
options.sessionReplay.sessionSampleRate = 0.0

Please see our documentation for more information configuring Session Replays for Android.

References

This issue was identified in Issue https://github.com/getsentry/sentry-java/issues/4467 and fixed in https://github.com/getsentry/sentry-java/pull/4485

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-532"
    ],
    "github_reviewed_at": "2025-06-20T13:28:26Z"
}

References

Affected packages

Maven / io.sentry:sentry-android

Package

Name: io.sentry:sentry-android; View open source insights on deps.dev
Purl: pkg:maven/io.sentry/sentry-android

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.14.0

Affected versions

1.*

1.0.0-beta

1.0.0-beta2

1.0.0-beta3

1.0.0

1.1.0

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.4.0

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.11

1.7.12

1.7.13

1.7.14

1.7.15

1.7.16

1.7.17

1.7.18

1.7.19

1.7.20

1.7.21

1.7.22

1.7.23

1.7.24

1.7.25

1.7.26

1.7.27

1.7.28

1.7.29

1.7.30

2.*

2.0.0-alpha04

2.0.0-alpha05

2.0.2

2.0.3

2.1.0-alpha.1

2.1.0-alpha.2

2.1.0-beta.1

2.1.0-beta.2

2.1.0-RC.1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.3.2

3.*

3.0.0-alpha.1

3.0.0-beta.1

3.0.0

3.1.0

3.1.1

3.1.2

3.1.3

3.2.0

3.2.1

4.*

4.0.0-alpha.1

4.0.0-alpha.2

4.0.0-alpha.3

4.0.0-beta.1

4.0.0

4.1.0

4.2.0

4.3.0

4.4.0-alpha.1

4.4.0-alpha.2

5.*

5.0.0-beta.1

5.0.0-beta.2

5.0.0-beta.3

5.0.0-beta.4

5.0.0-beta.5

5.0.0-beta.6

5.0.0-beta.7

5.0.0

5.0.1

5.1.0-beta.1

5.1.0-beta.2

5.1.0-beta.3

5.1.0-beta.4

5.1.0-beta.5

5.1.0-beta.6

5.1.0-beta.7

5.1.0-beta.8

5.1.0-beta.9

5.1.0

5.1.1

5.1.2

5.2.0-beta.1

5.2.0-beta.2

5.2.0-beta.3

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.3.0

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.5.1

5.5.2

5.5.3

5.6.0

5.6.1

5.6.2-beta.1

5.6.2-beta.2

5.6.2-beta.3

5.6.2

5.6.3

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

6.*

6.0.0-alpha.1

6.0.0-alpha.2

6.0.0-alpha.3

6.0.0-alpha.4

6.0.0-alpha.5

6.0.0-alpha.6

6.0.0-beta.1

6.0.0-beta.2

6.0.0-beta.3

6.0.0-beta.4

6.0.0-rc.1

6.0.0

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.2.0

6.2.1

6.3.0

6.3.1

6.4.0

6.4.1

6.4.2

6.4.3

6.4.4

6.5.0-beta.1

6.5.0-beta.2

6.5.0-beta.3

6.5.0

6.6.0

6.7.0-alpha.1

6.7.0

6.7.1

6.8.0

6.9.0

6.9.1

6.9.2

6.10.0

6.11.0

6.12.0

6.12.1

6.13.0

6.13.1

6.14.0

6.15.0

6.16.0-beta.1

6.16.0

6.17.0

6.18.0

6.18.1

6.19.0

6.19.1

6.20.0

6.21.0

6.22.0

6.23.0

6.24.0

6.25.0

6.25.1

6.25.2

6.26.0

6.27.0

6.28.0

6.29.0

6.30.0

6.31.0

6.32.0

6.33.0

6.33.1

6.33.2-beta.1

6.34.0

7.*

7.0.0-beta.1

7.0.0-rc.1

7.0.0-rc.2

7.0.0

7.1.0

7.2.0

7.3.0

7.4.0

7.5.0

7.6.0

7.7.0

7.8.0-alpha.0

7.8.0

7.9.0-alpha.1

7.9.0

7.10.0

7.11.0-alpha.2

7.11.0

7.12.0-alpha.3

7.12.0-alpha.4

7.12.0

7.12.1

7.13.0

7.14.0

7.15.0-alpha.1

7.15.0

7.16.0-alpha.1

7.16.0

7.17.0-alpha.1

7.17.0

7.18.0

7.18.1

7.19.0

7.19.1

7.20.0

7.20.1

7.21.0-beta.1

7.21.0

7.22.0

7.22.1

7.22.2

7.22.3

7.22.4

7.22.5

8.*

8.0.0-alpha.1

8.0.0-alpha.2

8.0.0-alpha.3

8.0.0-alpha.4

8.0.0-beta.1

8.0.0-beta.2

8.0.0-beta.3

8.0.0-rc.1

8.0.0-rc.2

8.0.0-rc.3

8.0.0-rc.4

8.0.0

8.1.0

8.2.0

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.8.0

8.9.0-alpha.1

8.9.0

8.10.0-alpha.1

8.10.0

8.11.0-alpha.1

8.11.0

8.11.1

8.12.0

8.13.0

8.13.1

8.13.2

8.13.3

Maven / io.sentry:sentry-android-replay