Headline
GHSA-7cjh-xx4r-qh3f: sentry-android unmasked sensitive data in Android Session Replays for users of Jetpack Compose 1.8+
Impact
Under specific circumstances, text composables may contain unmasked sensitive data in Android session replays. You may be impacted if you meet the following conditions:
- Using any
sentry-androidwith versions < 8.14.0 - Using Jetpack Compose >= 1.8.0-alpha08
- Have configured Sentry Session Replays for Android
If you do not use Jetpack Compose or have never used a version >= 1.8.0-alpha08 you are not impacted. If you have not configured Session Replays for Mobile you are not impacted.
How do I check if I’m impacted?
If you meet the conditions above, the sentry-android package includes a specific error log that would indicate you may be impacted. Customers may use logcat to search for this event.
I’m impacted and want this data deleted
If you’ve confirmed that you’re affected and unmasked sensitive data in Session Replays have reached Sentry servers, please reach out to your Account Manager or support@sentry.io to request deletion.
Patches
Upgrade the sentry-android SDK to version 8.14.0
Workarounds
We recommend upgrading to the latest version of the SDK, but if it is not an option, customers may either:
- Downgrade their use of Jetpack Compose to <= 1.7.x
- Drop session sample rates to 0.0
options.sessionReplay.onErrorSampleRate = 0.0
options.sessionReplay.sessionSampleRate = 0.0
Please see our documentation for more information configuring Session Replays for Android.
References
This issue was identified in Issue https://github.com/getsentry/sentry-java/issues/4467 and fixed in https://github.com/getsentry/sentry-java/pull/4485
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-7cjh-xx4r-qh3f
sentry-android unmasked sensitive data in Android Session Replays for users of Jetpack Compose 1.8+
High severity GitHub Reviewed Published Jun 19, 2025 in getsentry/sentry-java • Updated Jun 20, 2025
Package
maven io.sentry:sentry-android (Maven)
Affected versions
< 8.14.0
maven io.sentry:sentry-android-replay (Maven)
Impact
Under specific circumstances, text composables may contain unmasked sensitive data in Android session replays. You may be impacted if you meet the following conditions:
- Using any sentry-android with versions < 8.14.0
- Using Jetpack Compose >= 1.8.0-alpha08
- Have configured Sentry Session Replays for Android
If you do not use Jetpack Compose or have never used a version >= 1.8.0-alpha08 you are not impacted. If you have not configured Session Replays for Mobile you are not impacted.
How do I check if I’m impacted?
If you meet the conditions above, the sentry-android package includes a specific error log that would indicate you may be impacted. Customers may use logcat to search for this event.
I’m impacted and want this data deleted
If you’ve confirmed that you’re affected and unmasked sensitive data in Session Replays have reached Sentry servers, please reach out to your Account Manager or support@sentry.io to request deletion.
Patches
Upgrade the sentry-android SDK to version 8.14.0
Workarounds
We recommend upgrading to the latest version of the SDK, but if it is not an option, customers may either:
Downgrade their use of Jetpack Compose to <= 1.7.x
Drop session sample rates to 0.0
options.sessionReplay.onErrorSampleRate = 0.0 options.sessionReplay.sessionSampleRate = 0.0
Please see our documentation for more information configuring Session Replays for Android.
References
This issue was identified in Issue getsentry/sentry-java#4467 and fixed in getsentry/sentry-java#4485
References
- GHSA-7cjh-xx4r-qh3f
- getsentry/sentry-java#4467
- getsentry/sentry-java#4485
- getsentry/sentry-java@8bfa9cc
- https://github.com/getsentry/sentry-java/releases/tag/8.14.0
Published to the GitHub Advisory Database
Jun 20, 2025
Last updated
Jun 20, 2025