CVE-2025-5154

LOW

PhonePe App 25.03.21.0 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-5154. PoCs published by honestcorrupt.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2025-5154, an insecure local storage vulnerability in the PhonePe Android app where sensitive user data is stored unencrypted in SQLite databases. It includes threat modeling, impact assessment, and disclosure timeline but lacks functional exploit code.

Description

A vulnerability, which was classified as problematic, was found in PhonePe App 25.03.21.0 on Android. Affected is an unknown function of the file /data/data/com.phonepe.app/databases/ of the component SQLite Database. The manipulation leads to cleartext storage in a file or on disk. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.

Exploits (1)

nomisec WRITEUP 1 stars

by honestcorrupt · poc

https://github.com/honestcorrupt/phonepe-sensitive-data-exposure-cve-2025-5154

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2025-5154, an insecure local storage vulnerability in the PhonePe Android app where sensitive user data is stored unencrypted in SQLite databases. It includes threat modeling, impact assessment, and disclosure timeline but lacks functional exploit code.

Classification

Writeup 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: PhonePe Android app v25.03.21.0

No auth needed

Prerequisites: root access or local malware · physical access to the device

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 11, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry

https://vuldb.com/?id.310242

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.310242

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.576245

Exploit patch

https://github.com/honestcorrupt/-Insecure-Local-Storage-of-Sensitive-User-Data-in-PhonePe-Android-App-Unpatched-

View Exploit ZIP pw:eip

Not Applicable exploit

https://drive.google.com/drive/folders/1Xj9y2w3E98IZu8PUeGGI0nQPNsvVm87I?usp=sharing

Scores

CVSS v3 2.3

EPSS 0.0017

EPSS Percentile 6.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-312 CWE-313

Status published

Products (1)

phonepe/phonepe 25.03.21.0

Published May 25, 2025

Tracked Since Feb 18, 2026