reCAPTCHA Enterprise update

[TonyAnine]

A critical security vulnerability was discovered in reCAPTCHA Enterprise for Mobile. The vulnerability has been patched in the latest SDK release. Customers will need to update their Android application with the reCAPTCHA Enterprise for Mobile SDK, version 18.4.0 or above. We strongly recommend you update to the latest version as soon as possible.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[fangwenjie]

I get the same warring info. The last version firebase auth , use recaptcha:18.1.2 .

A critical security vulnerability was discovered in reCAPTCHA Enterprise for Mobile. The vulnerability has been patched in the latest SDK release. Customers will need to update their Android application with the reCAPTCHA Enterprise for Mobile SDK, version 18.4.0 or above. We strongly recommend you update to the latest version as soon as possible.

[lehcar09]

Hi @TonyAnine, thank you for reaching out and reporting the issue. We appreciate the details you shared to resolve the issue. I’ll notify our engineers with your recommended solution.

[NhienLam]

Thank you for reporting the issue. The fix is scheduled for the next release.

In the meantime, you can override the reCAPTCHA version by following https://cloud.google.com/identity-platform/docs/recaptcha-enterprise#configure-sdk.

Add the following build rule to the dependencies section of your app-level build.gradle file:

implementation 'com.google.android.recaptcha:recaptcha:18.4.0'

Make sure to use reCAPTCHA SDK version 18.4.0 or later.

[TonyAnine]

Received, thank you very much for your reply and the solution provided.

[maven08]

An SDK version that you are using has a note from the SDK provider

11 Jan 2024 04:17

The SDK provider of com.google.android.recaptcha:recaptcha has added a note for recaptcha:18.0.1. Here's what the SDK provider told us:

A critical security vulnerability was discovered in reCAPTCHA Enterprise for Mobile. The vulnerability has been patched in the latest SDK release. Customers will need to update their Android application with the reCAPTCHA Enterprise for Mobile SDK, version 18.4.0 or above. We strongly recommend you update to the latest version as soon as possible.

Note : Google why don't you provide solution before throwing errors ?

[kesildigital]

@NhienLam Do you have an expected date to release the fix?

[svartalfheim]

Should iOS be supported as well?

[NhienLam]

Hi @svartalfheim. No, this issue only happens in Android SDK. No action is needed for iOS.

[NhienLam]

Hi all,
Thank you for your patience, this has been fixed in v22.3.1 of the Auth SDK (Firebase BoM v32.7.1).

[PhanVanLinh]

@NhienLam the newer library 18.4.0 is build with kotlin 1.9.0 while my project is using 1.7.10
upgrade the kotlin version is not easy at this time, as we depend on many libraries that haven't support kotlin 1.9.0
so is there any lower version of reCAPTCHA Enterprise (which not required kotlin 1.9.0) that don't have issue with "critical security vulnerability"?

[NhienLam]

is there any lower version of reCAPTCHA Enterprise (which not required kotlin 1.9.0) that don't have issue with "critical security vulnerability"

Hi @PhanVanLinh. Unfortunately, no. Currently, reCAPTCHA Enterprise v18.4.0 is the only version that has a fix for the security vulnerability issue and it requires Kotlin 1.9.0.

There is backwards compatibility in Kotlin for one minor version, so you may only have to upgrade to Kotlin 1.8.0 to use reCAPTCHA Enterprise v18.4.0.