GHSA-7cjh-xx4r-qh3f
sentry-android unmasked sensitive data in Android Session Replays for users of Jetpack Compose 1.8+
Blast Radius
io.sentry:sentry-android☕io.sentry:sentry-android-replayReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Under specific circumstances, text composables may contain unmasked sensitive data in Android session replays. You may be impacted if you meet the following conditions:
- Using any
sentry-androidwith versions < 8.14.0 - Using Jetpack Compose >= 1.8.0-alpha08
- This includes any alpha, beta, release candidate, or general availability after this version
- Have configured Sentry Session Replays for Android
[!IMPORTANT] If you do not use Jetpack Compose or have never used a version >= 1.8.0-alpha08 you are not impacted.
[!IMPORTANT] If you have not configured Session Replays for Mobile you are not impacted.
How do I check if I'm impacted?
If you meet the conditions above, the sentry-android package includes a specific error log that would indicate you may be impacted. Customers may use logcat to search for this event.
I'm impacted and want this data deleted
If you've confirmed that you're affected and unmasked sensitive data in Session Replays have reached Sentry servers, you can please see this documentation on deleting individual replays. If you'd like to request bulk deletion, please reach out to your Account Manager or [email protected] to request deletion.
Patches
Upgrade the sentry-android SDK to version 8.14.0
Workarounds
We recommend upgrading to the latest version of the SDK, but if it is not an option, customers may either:
- Downgrade their use of Jetpack Compose to <= 1.7.x
- Drop session sample rates to 0.0
options.sessionReplay.onErrorSampleRate = 0.0
options.sessionReplay.sessionSampleRate = 0.0
Please see our documentation for more information configuring Session Replays for Android.
References
This issue was identified in Issue https://github.com/getsentry/sentry-java/issues/4467 and fixed in https://github.com/getsentry/sentry-java/pull/4485
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | io.sentry:sentry-android | all versions | 8.14.0 |
| ☕Maven | io.sentry:sentry-android-replay | all versions | 8.14.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for io.sentry:sentry-android. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update io.sentry:sentry-android to 8.14.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7cjh-xx4r-qh3f is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-7cjh-xx4r-qh3f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-7cjh-xx4r-qh3f. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-7cjh-xx4r-qh3f in your dependencies?
O3 detects GHSA-7cjh-xx4r-qh3f across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.