SQLite Database Vulnerability in PhonePe App for Android Devices
CVE-2025-5154

4.6MEDIUM

Key Information:

Vendor

PhonePe Private Limited

Status
Phonepe App
Vendor
CVE Published:
25 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-5154?

A security vulnerability has been identified in the PhonePe App version 25.03.21.0 on Android. This weakness involves an obscure function within the app's SQLite Database, located at /data/data/com.phonepe.app/databases/. The flaw results in cleartext storage of sensitive data on disk, posing a significant risk of unauthorized local access to critical user information. As the exploit has been publicly disclosed, it is essential for users and organizations to be aware of this vulnerability and take necessary precautions.

Affected Version(s)

PhonePe App 25.03.21.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-5154 - Proof of Concept

References

https://vuldb.com/?id.310242
vdb-entry
https://vuldb.com/?ctiid.310242
signaturepermissions-required
https://vuldb.com/?submit.576245
third-party-advisory

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

honest_corrupt (VulDB User)
.