CVE-2026-5682
Risky Cryptographic Algorithm in Meesho App /api Endpoint
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| meesho | online_shopping_app | to 27.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-310 | Cryptographic Issues |
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Meesho Android app involves insecure cryptographic implementation in the component com.meesho.supply. Specifically, the app uses AES encryption in CBC mode without integrity protection and derives encryption keys using the insecure MD5 hash algorithm without salting or iteration.
This weak cryptographic design allows attackers to tamper with encrypted data undetected, potentially perform padding oracle attacks, and manipulate API parameters. The encrypted payloads are formatted as Base64 encoded initialization vector concatenated with Base64 encoded ciphertext, which can be intercepted and modified by attackers.
The vulnerability is difficult to exploit and requires a high level of complexity, but it has been publicly disclosed and can be used by attackers remotely.
How can this vulnerability impact me? :
This vulnerability can impact users and the application by allowing attackers to manipulate encrypted data without detection, leading to unauthorized changes in API requests.
- Ciphertext tampering without detection.
- Potential padding oracle attacks that can reveal sensitive information.
- Data integrity violations and unauthorized manipulation of API parameters.
- Replay attacks due to lack of request authentication or nonce validation.
- Possible exposure of sensitive data through cryptographic weaknesses.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting and analyzing the encrypted API requests sent by the Meesho Android app, specifically those targeting the /api/endpoint of the com.meesho.supply component. The encrypted payloads are formatted as Base64(IV) concatenated with Base64(ciphertext) separated by a dot.
Using interception tools like Burp Suite, you can capture these encrypted messages and attempt to modify the ciphertext bytes. If the server accepts modified ciphertexts and reveals different error responses, this indicates a padding oracle vulnerability and confirms the presence of the insecure cryptographic implementation.
- Use Burp Suite or a similar proxy tool to intercept API requests from the Meesho app.
- Look for requests with parameters formatted as Base64(IV).Base64(ciphertext).
- Modify ciphertext bytes in intercepted requests and observe server responses for error differences.
There are no specific command-line commands provided, but the detection relies on manual interception and ciphertext manipulation using tools like Burp Suite.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps involve addressing the insecure cryptographic implementation in the Meesho Android app:
- Replace the AES-CBC encryption mode with an authenticated encryption mode such as AES-GCM or ChaCha20-Poly1305 to provide confidentiality and integrity.
- Replace the weak MD5-based key derivation with a secure key derivation function like PBKDF2, Argon2, or bcrypt that includes salting and iteration.
- Implement message authentication codes (e.g., HMAC) to ensure integrity and authenticity of encrypted data before decryption.
- Validate message integrity and authenticity on the server side prior to processing any encrypted payloads.
Since the vulnerability is in the app's cryptographic design, patching the app with these improvements is essential. Until then, monitoring and restricting API access may help reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Meesho Android app involves the use of weak cryptographic algorithms and lack of integrity protection, which can lead to unauthorized data manipulation and potential data breaches.
Such cryptographic weaknesses violate best practices outlined in security standards and frameworks like OWASP Mobile Top 10 (M5 - Insufficient Cryptography) and OWASP MASVS/MSTG guidelines, which emphasize strong encryption and message integrity.
From a compliance perspective, this vulnerability could hinder adherence to regulations such as GDPR and HIPAA, which require protection of sensitive data through strong encryption and integrity controls to prevent unauthorized access and tampering.
Failure to properly secure sensitive data as demonstrated by this vulnerability may result in non-compliance with these regulations, potentially leading to legal and financial consequences.