Out of Bounds Write Vulnerability in Hermes Engine Affecting React Native Applications
CVE-2022-32234

9.8CRITICAL

Key Information:

Vendor: Facebook
Status: Hermes
Vendor: CVE Published:; 11 October 2022

What is CVE-2022-32234?

The Hermes JavaScript engine has a vulnerability that allows for an out of bounds write when dealing with large arrays. This weakness can be exploited to potentially execute arbitrary code when an application permits the evaluation of untrusted JavaScript. Most React Native applications, however, are typically safe since they do not allow such evaluations. Developers are encouraged to review their implementations and ensure the use of updated versions of Hermes to mitigate the risk.

Affected Version(s)

Hermes < unspecified

References

https://github.com/facebook/hermes/commit/06eaec767e376bf...

https://www.facebook.com/security/advisories/CVE-2022-32234

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Jun 2, 2022

Facebook

What is CVE-2022-32234?

Affected Version(s)

References

CVSS V3.1

Timeline