GHSA-vx5f-vmr6-32wf: cap-go/capacitor-native-biometric Authentication Bypass

February 10, 2026 (updated February 12, 2026)

The cap-go/capacitor-native-biometric library was found to be subject to an authentication bypass as the current implementation of the onAuthenticationSucceeded() does not appear to handle a CryptoObject[^HackTricks1] [^SecuringBiometricAuthentication] as seen in the following code block starting from line 88 in AuthActivity.java:

@Override
public void onAuthenticationSucceeded(
@NonNull BiometricPrompt.AuthenticationResult result
) {
super.onAuthenticationSucceeded(result);
finishActivity("success");
}

As the current implementation only checks whether onAuthenticationSucceeded() was called and does not handle a CryptoObject the biometric authentication can be bypassed by hooking the onAuthenticationSucceeded() function.

References

Code Behaviors & Features

Detect and mitigate GHSA-vx5f-vmr6-32wf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →