🔴 CRITICAL: Plain-text Password Storage in Zustand Store (CWE-312) #1263
Description
🔴 CRITICAL Security Vulnerability
Severity: CRITICAL
Type: Security - Cleartext Storage of Sensitive Information
CWE: CWE-312
OWASP: A02:2021 - Cryptographic Failures
📍 Affected Files
packages/react/src/store/userStore.js(lines 26-27)packages/react-native/src/store/userStore.js(lines 13-14)
🔥 Vulnerability Description
Plain-text passwords are stored in the Zustand state management store, making them accessible through:
- Browser memory inspection
- React DevTools
- Application state dumps
- Store persistence middleware (if enabled)
Current Vulnerable Code:
const useUserStore = create((set) => ({
username: null,
password: null, // CRITICAL: Plain-text password in state
token: null,
setPassword: (password) => set(() => ({ password })), // Stores raw password
}));⚠️ Security Impact
- Direct credential exposure in browser memory
- Visible in React DevTools to anyone with browser access
- Persisted to localStorage if persistence is enabled
- Violates security best practices - passwords should never be stored client-side
💥 Exploitation Scenario
- User logs in with username/password
- Password stored in Zustand store
- Attacker opens React DevTools or uses memory inspection
- Password retrieved in clear text
- Attacker gains full account access
✅ Recommended Fix
Remove password storage entirely and use only secure token-based authentication.
🎯 Action Items
- Remove password field from useUserStore in both React and React Native
- Remove setPassword method
- Update login flows to discard password after authentication
- Audit all components using password from store
- Add security test to prevent future password storage
⏱️ Timeline
Fix Required: Within 24 hours
Priority: P0 - Critical Security Issue
Discovered by: Automated codebase security analysis
Date: April 5, 2026