Published:2025/09/02  Last Updated:2025/09/02

JVN#47404248
"Gunosy" App vulnerable to insertion of sensitive information into sent data (CWE-201)

Overview

"Gunosy" App provided by Gunosy Inc. contains a vulnerability where sensitive information may be included in the application's outbound communication.

Products Affected

  • "Gunosy" App for Android versions prior to 7.34.0
  • "Gunosy" App for iOS versions prior to 7.34.0

Description

"Gunosy" App provided by Gunosy Inc. contains the following vulnerability.

  • Insertion of sensitive information into sent data (CWE-201)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Base Score 4.3
    • CVE-2025-44017

Impact

If a user accesses a crafted URL, an attacker may obtain the JWT (JSON Web Token).

Solution

Update the application
Update the application to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Gunosy Inc. Vulnerable 2025/09/02

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

YUNAO ZHOU reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-44017
JVN iPedia JVNDB-2025-000070