CVE-2025-5154

LOW

PhonePe App 25.03.21.0 - Info Disclosure

Title source: llm

Description

A vulnerability, which was classified as problematic, was found in PhonePe App 25.03.21.0 on Android. Affected is an unknown function of the file /data/data/com.phonepe.app/databases/ of the component SQLite Database. The manipulation leads to cleartext storage in a file or on disk. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.

References (5)

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.310242

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.310242

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.576245

[Exploit] https://github.com/honestcorrupt/-Insecure-Local-Storage-of-Sensitive-User-Data-in-PhonePe-Android-App-Unpatched-

View Exploit ZIP pw:eip

[Not Applicable] https://drive.google.com/drive/folders/1Xj9y2w3E98IZu8PUeGGI0nQPNsvVm87I?usp=sharing

Scores

CVSS v3 2.3

EPSS 0.0005

EPSS Percentile 16.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-312 CWE-313

Status published

Products (1)

phonepe/phonepe 25.03.21.0

Published May 25, 2025

Tracked Since Feb 18, 2026