An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
CVE-2020-1915 - High Severity Vulnerability
Library home page: https://registry.npmjs.org/hermes-engine/-/hermes-engine-0.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/hermes-engine/package.json
Dependency Hierarchy: - react-native-0.62.2.tgz (Root Library) - :x: **hermes-engine-0.0.0.tgz** (Vulnerable Library)
Found in HEAD commit: 2dadebde961db14e094d77b44fb513bffe8b7f6b
Found in base branch: master
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Publish Date: 2020-10-26
URL: CVE-2020-1915
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-x4cf-6jr3-3qvp
Release Date: 2020-11-02
Fix Resolution: hermes-engine - 0.7.2
Step up your Open Source Security Game with Mend here