PT-2020-15165 · Facebook · Hermes

Published

2020-09-09

Updated

2022-05-24

CVE-2020-1912

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Facebook Hermes versions prior to commit 091835377369c8fd5917d9b87acffa721ad2a168

Description The issue is related to an out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions. This could potentially allow attackers to execute arbitrary code via crafted JavaScript, but only if the application using Hermes permits evaluation of untrusted JavaScript.

Recommendations For Facebook Hermes versions prior to commit 091835377369c8fd5917d9b87acffa721ad2a168, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the evaluation of untrusted JavaScript in applications using Hermes to minimize the risk of exploitation.

Fix

Out of bounds Read

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-787

Related Identifiers

CVE-2020-1912

GHSA-PF27-929J-9PMM

Affected Products

Hermes

PT-2020-15165 · Facebook · Hermes

CVE-2020-1912

Weakness Enumeration

Related Identifiers

Affected Products

References · 5