GHSA-7cjh-xx4r-qh3f: 
Java vulnerability analysis and mitigation

The vulnerability (GHSA-7cjh-xx4r-qh3f) affects the sentry-android SDK versions prior to 8.14.0, specifically impacting applications using Jetpack Compose version 1.8.0-alpha08 or later with Session Replays enabled. The issue was discovered in May 2025 and was patched with the release of sentry-android SDK version 8.14.0 on June 17, 2025 (GitHub Advisory).

The vulnerability stems from a change in Jetpack Compose 1.8+ where LayoutNode.collapsedSemantics was removed in favor of LayoutNode.getSemanticsConfiguration(). This change caused the SDK to fail in properly masking sensitive data in text composables during Android Session Replays. The vulnerability has been assigned a high severity rating with a CVSS score of 8.2, characterized by network attack vector, low attack complexity, and high confidentiality impact (GitHub Advisory).

When exploited, the vulnerability exposes unmasked sensitive data in Android Session Replays for applications using the affected versions. This primarily affects text composables that should have been masked but were exposed in session recordings, potentially leading to unauthorized access to sensitive information (GitHub Advisory).

The primary mitigation is to upgrade the sentry-android SDK to version 8.14.0. For cases where immediate upgrade isn't possible, two workarounds are available: downgrade Jetpack Compose to version 1.7.x or lower, or set session sample rates to 0.0 using options.sessionReplay.onErrorSampleRate and options.sessionReplay.sessionSampleRate. Users who have confirmed exposure of sensitive data can delete individual replays or contact Sentry support for bulk deletion (GitHub Advisory, Sentry Release).