CVE-2015-5257/CVE-2015-8320: Weak Randomization of BridgeSecret for Apache Cordova Android

As of November 25, 2015, this blog post acknowledges that IBM is aware that Cordova announced two CVEs for vulnerabilities on the Android platform. This post will focus on CVE-2015-5257. The other CVE is still being worked on.

Note: On some sites, this CVE may be referred to as CVE-2015-8320. Red Hat made a typo mistake in their CVE using the same number as Cordova, so Cordova’s CVE got pushed to to CVE-2015-8320.”>

CVE-2015-5257: Weak Randomization of BridgeSecret for Apache Cordova Android

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Cordova Android versions up to 3.6.4


Cordova uses a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios.

Upgreade Path: Developers who are concerned about this issue should rebuild their applications with Cordova Android 4.1.1 or later. Versions after 3.6.4 do not contain this vulnerability.

Credit: David Kaplan & Roee Hay, IBM X-Force Application Security Research Team</em>

Available iFixes

iFixes will be available shortly for MobileFirst Platform Foundation versions 6.3, 7.0, and 7.1. All of the other earlier versions of the product are unaffected.

Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
Last modified on May 01, 2016