Use After Free Vulnerability in Hermes Affecting React Native Applications
CVE-2021-24037

9.8CRITICAL

Key Information:

Vendor: Facebook
Status: Hermes
Vendor: CVE Published:; 15 June 2021

What is CVE-2021-24037?

A use after free vulnerability exists within the Hermes JavaScript engine, which can lead to arbitrary code execution when specific error messages are emitted. This situation arises when an application using Hermes allows the evaluation of untrusted JavaScript code. Typically, most React Native applications are safeguarded against this type of exploit since they do not accept untrusted JavaScript, minimizing the risk posed by this vulnerability.

Affected Version(s)

Hermes commit prior to d86e185e485b6330216dee8e854455c694e3a36e

References

https://github.com/facebook/hermes/commit/d86e185e485b633...

x_refsource_CONFIRM

https://www.facebook.com/security/advisories/CVE-2021-24037

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 15, 2021
Vulnerability Reserved
Jan 13, 2021

Facebook

What is CVE-2021-24037?

Affected Version(s)

References

CVSS V3.1

Timeline