PT-2021-15659 · Facebook · Hermes

Published

2021-06-15

Updated

2022-05-24

CVE-2021-24037

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Hermes versions prior to commit d86e185e485b6330216dee8e854455c694e3a36e

Description: A use after free in Hermes, while emitting certain error messages, allows attackers to potentially execute arbitrary code via crafted JavaScript. This is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Most React Native applications are not affected.

Recommendations: For versions prior to commit d86e185e485b6330216dee8e854455c694e3a36e, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the evaluation of untrusted JavaScript in applications using Hermes.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2021-24037

GHSA-MPH8-6787-R8HW

Affected Products

Hermes

PT-2021-15659 · Facebook · Hermes

CVE-2021-24037

Weakness Enumeration

Related Identifiers

Affected Products

References · 8