CVE-2023-28081

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hermes versions prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81

Description A bytecode optimization bug could be used to cause a use-after-free and obtain arbitrary code execution via a carefully crafted payload. This is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Most React Native applications are not affected.

Recommendations For versions prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81, update to a version that includes the fix for the bytecode optimization bug. As a temporary workaround, consider restricting the execution of untrusted JavaScript in Hermes until a patch is available.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2023-28081

Affected Products

Hermes

CVE-2023-28081

Weakness Enumeration

Related Identifiers

Affected Products

References · 7