PTKDMobile App Security
Knowledge base / PTKD-SUPPLY-CVE
high M2 MASVS-CODE-3 supply analysis PTKD-SUPPLY-CVE

Vulnerable third-party dependency

A bundled library version matches a published CVE in the offline feed.

How it's exploited

A bundled library version matches a published CVE. Exploit writeups for popular mobile libraries circulate quickly, and attackers fingerprint apps by their SDK versions.

Why it matters

You inherit someone else's remote-code-execution or data-leak bug, with your app's permissions and your users' data.

How to fix it

  1. Upgrade the dependency to the fixed version named in the finding's CVE reference.
  2. Add a dependency-review gate in CI (the PTKD build gate can fail on new criticals).
  3. Prune SDKs you no longer use; every dependency is attack surface.

References