CVE-2023-23556

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hermes versions prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80

Description An error in BigInt conversion to Number in Hermes could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. This issue is only exploitable in cases where Hermes is used to execute untrusted JavaScript, and most React Native applications are not affected.

Recommendations For versions prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80, update to a version that includes the fix for the BigInt conversion to Number error to prevent potential arbitrary code execution. As a temporary workaround, consider restricting the execution of untrusted JavaScript in Hermes until a patch is available.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2023-23556

Affected Products

Hermes

CVE-2023-23556

Weakness Enumeration

Related Identifiers

Affected Products

References · 8