Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wZjI3LTkyOWotOXBtbc4AAl2N
Out-of-bounds Read and Out-of-bounds Write in Facebook Hermes
An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions in Facebook Hermes prior to commit 091835377369c8fd5917d9b87acffa721ad2a168 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Permalink: https://github.com/advisories/GHSA-pf27-929j-9pmmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZjI3LTkyOWotOXBtbc4AAl2N
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pf27-929j-9pmm, CVE-2020-1912
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-1912
- https://github.com/facebook/hermes/commit/091835377369c8fd5917d9b87acffa721ad2a168
- https://www.facebook.com/security/advisories/cve-2020-1912
- https://github.com/advisories/GHSA-pf27-929j-9pmm
Blast Radius: 43.2
Affected Packages
npm:hermes-engine
Dependent packages: 197Dependent repositories: 214,711
Downloads: 1,367,581 last month
Affected Version Ranges: <= 0.4.3
Fixed in: 0.5.2
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.3
All unaffected versions: 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.10.0, 0.11.0