CVE-2023-22429 – The Wolt Delivery Android app versions 4.27.2 a... (How to Fix)

Q: What is the severity of CVE-2023-22429?

CVE-2023-22429 has a CVSS score of 7.8 (HIGH). The Wolt Delivery Android app versions 4.27.2 and earlier contain hard-coded API credentials that can be extracted through reverse engineering. This allows local attackers to obtain API keys for external services, potentially enabling unauthorized access to those services. Only users of the affected Android app versions are impacted.

📋 TL;DR

The Wolt Delivery Android app versions 4.27.2 and earlier contain hard-coded API credentials that can be extracted through reverse engineering. This allows local attackers to obtain API keys for external services, potentially enabling unauthorized access to those services. Only users of the affected Android app versions are impacted.

💻 Affected Systems

Products:

Wolt Delivery: Food and more

Versions: 4.27.2 and earlier

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Android mobile application, not web or iOS versions.

📦 What is this software?

Wolt Delivery by Wolt

View all CVEs affecting Wolt Delivery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker obtains the API key and uses it to make unauthorized requests to the external service, potentially accessing sensitive data or performing unauthorized actions at scale.

🟠

Likely Case

A local attacker with physical access to the device or malware extracts the API key through reverse engineering, then uses it for limited unauthorized API calls until the key is revoked.

🟢

If Mitigated

The external service implements rate limiting, IP restrictions, or monitors for unusual activity, limiting the damage from stolen credentials.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the app binary and basic reverse engineering skills. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 4.27.2

Vendor Advisory: https://jvn.jp/en/jp/JVN64453490/

Restart Required: Yes

Instructions:

1. Update the Wolt Delivery app via Google Play Store. 2. Ensure version is newer than 4.27.2. 3. Restart the app after update.

🔧 Temporary Workarounds

Uninstall vulnerable version

android

Remove the vulnerable app version from devices

adb uninstall com.wolt.android

🧯 If You Can't Patch

Monitor API usage from the external service for unusual activity
Request the external service to rotate the compromised API key

🔍 How to Verify

Check if Vulnerable:

Check app version in Android Settings > Apps > Wolt Delivery > App info

Check Version:

adb shell dumpsys package com.wolt.android | grep versionName

Verify Fix Applied:

Verify app version is newer than 4.27.2 in Google Play Store or app settings

📡 Detection & Monitoring

Log Indicators:

Unusual API call patterns from unexpected sources to the external service

Network Indicators:

Traffic to the external service API using the hard-coded key from unexpected IPs

SIEM Query:

source_ip NOT IN (allowed_ips) AND destination_port = [external_service_port] AND user_agent CONTAINS 'wolt'

📊 Metadata

CVE ID: CVE-2023-22429

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: April 11, 2023

Last Updated: February 11, 2025

🔗 References

https://jvn.jp/en/jp/JVN64453490/ Third Party Advisory
https://play.google.com/store/apps/details?id=com.wolt.android&hl=en_US&gl=US Product
https://jvn.jp/en/jp/JVN64453490/ Third Party Advisory
https://play.google.com/store/apps/details?id=com.wolt.android&hl=en_US&gl=US Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22429, you might also want to check these: