CVE-2021-4438: React Native Sms User Consent Intent Redirection Vulnerability
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.06514%
CWE
Published
4/7/2024
Updated
4/8/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@kyivstarteam/react-native-sms-user-consent | npm | < 1.1.5 | 1.1.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the registerReceiver
function in SmsUserConsentModule.kt
registering a receiver without proper permission constraints. The patch adds SmsRetriever.SEND_PERMISSION
to registerReceiver
's parameters, confirming the vulnerability was caused by missing permission enforcement. CWE-926 directly maps to this unprotected component export scenario. The commit diff and advisory both explicitly reference this function as the attack vector.