Out-of-Bounds Read/Write Vulnerability in Facebook Hermes Engine
CVE-2020-1912

8.1HIGH

Key Information:

Vendor: Facebook
Status: Hermes
Vendor: CVE Published:; 9 September 2020

What is CVE-2020-1912?

The vulnerability in Facebook's Hermes JavaScript engine arises from an improper handling of inner generator functions which leads to out-of-bounds read and write operations. Attackers can exploit this weakness by executing crafted JavaScript code, potentially allowing for arbitrary code execution. This risk is primarily a concern for applications that evaluate untrusted JavaScript, making most React Native applications unaffected by this flaw.

Affected Version(s)

Hermes commit prior to 091835377369c8fd5917d9b87acffa721ad2a168

References

https://www.facebook.com/security/advisories/cve-2020-1912

x_refsource_CONFIRM

https://github.com/facebook/hermes/commit/091835377369c8f...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 9, 2020
Vulnerability Reserved
Dec 2, 2019