Use After Free

Affecting hermes-engine package, versions <0.7.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

hermes-engine is an A JavaScript engine optimized for running React Native on Android

Affected versions of this package are vulnerable to Use After Free. While emitting certain error messages, attackers could potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Remediation

Upgrade hermes-engine to version 0.7.0 or higher.

References

CVSS Score

7.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2021-24037
CWE
CWE-416
Snyk ID
SNYK-JS-HERMESENGINE-1309667
Disclosed
16 Jun, 2021
Published
16 Jun, 2021