PT-2020-15164 · Facebook · React Native+1

Published

2020-09-04

Updated

2022-05-24

CVE-2020-1911

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Facebook Hermes versions prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da

Description A type confusion issue exists when resolving properties of JavaScript objects with specially-crafted prototype chains. This could allow attackers to potentially execute arbitrary code via crafted JavaScript, but only if the application using Hermes permits evaluation of untrusted JavaScript. Most React Native applications are not affected.

Recommendations For Facebook Hermes versions prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da, update to a version that includes the fix from commit fe52854cdf6725c2eaa9e125995da76e6ceb27da to resolve the issue. As a temporary workaround, consider restricting the evaluation of untrusted JavaScript in applications using Hermes.

Fix

Type Confusion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-843

Related Identifiers

CVE-2020-1911

GHSA-F5X2-XV93-4P23

Affected Products

Hermes

React Native

PT-2020-15164 · Facebook · React Native+1

CVE-2020-1911

Weakness Enumeration

Related Identifiers

Affected Products

References · 5