Stack Overflow Vulnerability in Facebook Hermes Affecting JavaScript Execution
CVE-2020-1896

9.8CRITICAL

Key Information:

Vendor: Facebook
Status: Hermes
Vendor: CVE Published:; 2 February 2021

What is CVE-2020-1896?

A stack overflow vulnerability exists in Facebook's Hermes JavaScript engine, specifically within the 'builtin apply' function. This flaw enables attackers to potentially execute arbitrary code through specially crafted JavaScript. However, exploitation necessitates that the application utilizing Hermes allows untrusted JavaScript evaluation, which means that most React Native applications are not vulnerable. Affected versions should be updated to the latest commit for mitigation.

Affected Version(s)

Hermes commit prior to 86543ac47e59c522976b5632b8bf9a2a4583c7d2

References

https://www.facebook.com/security/advisories/cve-2020-1896

x_refsource_CONFIRM

https://github.com/facebook/hermes/commit/86543ac47e59c52...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 2, 2021
Vulnerability Reserved
Dec 2, 2019