Skip to content

Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin

Low severity GitHub Reviewed Published Mar 1, 2024 in getsentry/sentry-react-native • Updated Mar 1, 2024

Package

npm @sentry/react-native (npm)

Affected versions

>= 5.16.0, <= 5.19.0

Patched versions

5.19.1

Description

Impact

SDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parameter, for debugging purposes. Doing so would result in the auth token being built into the application bundle, and therefore the auth token could be potentially exposed in case the application bundle is subsequently published.

You may ignore this notification if you are not using authToken configuration parameter in your React Native SDK configuration or did not publish apps using this way of configuring the authToken.

If you had set the authToken in the plugin config previously, and built and published an app with that config, you should rotate your token.

Patches

The behavior that allowed setting an authToken parameter was fixed in SDK version 5.19.1 where, if this parameter was set, you will see a warning and the authToken would be removed before bundling the application.

Workarounds

  1. Remove authToken from the plugin configuration.
  2. If you had set the authToken in the plugin config previously, and built and published an app with that config, you should rotate your token.

References

References

@oioki oioki published to getsentry/sentry-react-native Mar 1, 2024
Published to the GitHub Advisory Database Mar 1, 2024
Reviewed Mar 1, 2024
Last updated Mar 1, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-68c2-4mpx-qh95

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.