PT-2022-5006 · Facebook · Hermes

Published

2022-10-10

Updated

2022-10-11

CVE-2022-35289

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hermes versions prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374

Description A write-what-where condition in Hermes caused by an integer overflow allows attackers to potentially execute arbitrary code via crafted JavaScript. This issue is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Most React Native applications are not affected.

Recommendations For versions prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374, consider updating to a version that includes the fix for the integer overflow issue. As a temporary workaround, restrict the evaluation of untrusted JavaScript in applications using Hermes to minimize the risk of exploitation.

Fix

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-680

Related Identifiers

BDU:2022-06219

CVE-2022-35289

Affected Products

Hermes

PT-2022-5006 · Facebook · Hermes

CVE-2022-35289

Weakness Enumeration

Related Identifiers

Affected Products

References · 6