Type Confusion Vulnerability in Facebook Hermes JavaScript Engine
CVE-2021-24045

9.8CRITICAL

Key Information:

Vendor: Facebook
Status: Hermes
Vendor: CVE Published:; 13 December 2021

What is CVE-2021-24045?

A type confusion vulnerability exists in the Facebook Hermes JavaScript engine that can be triggered by resolving the 'typeof' unary operator. This vulnerability is particularly concerning when an application utilizing Hermes allows for the evaluation of untrusted JavaScript. However, it is important to note that most React Native applications are not vulnerable as they do not typically permit such evaluations. The issue is fixed in Hermes version 0.10.0, mitigating the risks associated with this vulnerability.

Affected Version(s)

Hermes < 0.10.0

Hermes 0.10.0

References

https://www.facebook.com/security/advisories/cve-2021-24045

x_refsource_CONFIRM

https://github.com/facebook/hermes/commit/55e1b2343f4deb1...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2021
Vulnerability Reserved
Jan 13, 2021