Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tcGg4LTY3ODctcjhod84AAo3T
Use After Free in Hermes
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Permalink: https://github.com/advisories/GHSA-mph8-6787-r8hwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tcGg4LTY3ODctcjhod84AAo3T
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-mph8-6787-r8hw, CVE-2021-24037
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-24037
- https://github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36e
- https://www.facebook.com/security/advisories/CVE-2021-24037
- https://github.com/advisories/GHSA-mph8-6787-r8hw
Blast Radius: 52.3
Affected Packages
npm:hermes-engine
Dependent packages: 197Dependent repositories: 214,711
Downloads: 1,367,581 last month
Affected Version Ranges: <= 0.7.2
Fixed in: 0.8.0
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.3, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.7.1, 0.7.2
All unaffected versions: 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0