Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNXgyLXh2OTMtNHAyM84AAl0M

Access of Resource Using Incompatible Type in Facebook Hermes

A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Permalink: https://github.com/advisories/GHSA-f5x2-xv93-4p23
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNXgyLXh2OTMtNHAyM84AAl0M
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-f5x2-xv93-4p23, CVE-2020-1911
References: Repository: https://github.com/facebook/hermes
Blast Radius: 52.3

Affected Packages

npm:hermes-engine
Dependent packages: 197
Dependent repositories: 214,711
Downloads: 1,424,986 last month
Affected Version Ranges: <= 0.4.3
Fixed in: 0.5.2
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.3
All unaffected versions: 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0