CVE-2024-21668: 
JavaScript vulnerability analysis and mitigation

react-native-mmkv, a library for using MMKV in React Native applications, contained a security vulnerability (CVE-2024-21668) where versions prior to 2.11.0 logged the optional encryption key for the MMKV database into the Android system log. This vulnerability was discovered and disclosed on January 9, 2024, affecting all versions of react-native-mmkv before 2.11.0 on Android devices, while iOS devices were not impacted (NVD).

The vulnerability stems from the improper handling of sensitive information, specifically the encryption key used for the MMKV database. The issue was classified as CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability received a CVSS v3.1 score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact but no impact on integrity or availability (NVD).

The vulnerability exposes the encryption key to anyone with access to the Android Debugging Bridge (ADB) if it is enabled in the phone settings. By logging the encryption secret to the system logs, attackers can trivially recover the secret by enabling ADB, potentially undermining an app's thread model and compromising the security of the encrypted MMKV database (NVD).

The vulnerability has been patched in version 2.11.0 of react-native-mmkv. Users are advised to upgrade to this version or later to address the security issue. The fix involves removing the logging of encryption keys in the Android system logs (GitHub Patch, GitHub Release).