CVE-2023-30470

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hermes versions prior to commit da8990f737ebb9d9810633502f65ed462b819c09

Description A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled could have been used by an attacker to achieve remote code execution. This issue is only exploitable in cases where Hermes is used to execute untrusted JavaScript, and most React Native applications are not affected.

Recommendations For versions prior to commit da8990f737ebb9d9810633502f65ed462b819c09, update to a version that includes the fix for the use-after-free issue in bytecode generation. As a temporary workaround, consider disabling optimizations for Hermes when executing untrusted JavaScript until a patch is available.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2023-30470

Affected Products

Hermes

CVE-2023-30470

Weakness Enumeration

Related Identifiers

Affected Products

References · 6