hermes-engine@0.7.0 vulnerabilities

hermes-engine is an A JavaScript engine optimized for running React Native on Android

Affected versions of this package are vulnerable to Denial of Service (DoS) by passing invalid JavaScript code where await and yield were called upon non-async and non-generator getter/setter functions. In this case, Hermes would invoke generator functions and error out on invalid await/yield positions. This could result in segmentation fault as a consequence of type confusion error, with a low chance of RCE.

Upgrade hermes-engine to version 0.10.0 or higher.

hermes-engine is an A JavaScript engine optimized for running React Native on Android

Affected versions of this package are vulnerable to Out-of-Bounds. An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Upgrade hermes-engine to version 0.8.0 or higher.

hermes-engine is an A JavaScript engine optimized for running React Native on Android

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A logic vulnerability when handling the SaveGeneratorLong instruction allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Upgrade hermes-engine to version 0.7.2 or higher.