CVE-2026-58460

ajith-ab · react-native-receive-sharing-intent

A path traversal vulnerability in the react-native-receive-sharing-intent library allows malicious co-resident applications to overwrite files outside the intended cache directory.

Executive summary

A path traversal vulnerability in the react-native-receive-sharing-intent library allows malicious co-resident applications to conduct unauthorized file system operations.

Vulnerability

This is a path traversal vulnerability where a malicious application on the same device can supply a crafted _display_name value containing directory traversal sequences. This allows the attacker to write files to arbitrary locations outside the application’s designated cache directory via the ContentProvider.

Business impact

The CVSS score of 7.7 reflects the risk of privilege escalation and potential data destruction on mobile devices. If exploited, a malicious application could overwrite critical files or configuration data, leading to application instability or the exfiltration of sensitive information stored within the mobile environment.

Remediation

Immediate Action: Update the react-native-receive-sharing-intent dependency in all affected mobile applications to the version containing the security fix.

Proactive Monitoring: Review application logs for unexpected file write errors or anomalous path components in content provider interactions.

Compensating Controls: Implement strict input validation for all data received via ContentProviders to ensure that file names do not contain path traversal characters.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Developers should immediately audit their mobile application dependencies and update the affected library. Given the risk of local file system manipulation, ensuring that inputs are properly sanitized is critical for maintaining the security posture of the mobile application.