Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNXgyLXh2OTMtNHAyM84AAl0M
Access of Resource Using Incompatible Type in Facebook Hermes
A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Permalink: https://github.com/advisories/GHSA-f5x2-xv93-4p23JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNXgyLXh2OTMtNHAyM84AAl0M
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-f5x2-xv93-4p23, CVE-2020-1911
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1911
- https://github.com/facebook/hermes/commit/fe52854cdf6725c2eaa9e125995da76e6ceb27da
- https://www.facebook.com/security/advisories/cve-2020-1911
- https://github.com/advisories/GHSA-f5x2-xv93-4p23
Blast Radius: 52.3
Affected Packages
npm:hermes-engine
Dependent packages: 197Dependent repositories: 214,711
Downloads: 1,718,480 last month
Affected Version Ranges: <= 0.4.3
Fixed in: 0.5.2
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.3
All unaffected versions: 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0