PT-2020-15166 · Facebook · Hermes

Published

2020-09-09

Updated

2022-05-24

CVE-2020-1913

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Facebook Hermes versions prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6

Description The issue is related to an Integer signedness error in the JavaScript Interpreter. This error can be exploited to cause a denial of service attack or potentially allow for remote code execution (RCE) via crafted JavaScript. The exploitability of this issue depends on the application's permission to evaluate untrusted JavaScript, which is not a common scenario for most React Native applications.

Recommendations For Facebook Hermes versions prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6, update to a version that includes the fix for the Integer signedness error in the JavaScript Interpreter. As a temporary workaround, consider restricting the evaluation of untrusted JavaScript in applications using Hermes to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-681CWE-195

Related Identifiers

CVE-2020-1913

GHSA-GMPM-XP43-F7G6

Affected Products

Hermes

PT-2020-15166 · Facebook · Hermes

CVE-2020-1913

Weakness Enumeration

Related Identifiers

Affected Products

References · 5