Out-of-Bounds

Affecting hermes-engine package, versions <0.7.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

hermes-engine is an A JavaScript engine optimized for running React Native on Android

Affected versions of this package are vulnerable to Out-of-Bounds. An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Remediation

Upgrade hermes-engine to version 0.7.0 or higher.

References

CVSS Score

6.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2020-1912
CWE
CWE-119
Snyk ID
SNYK-JS-HERMESENGINE-629748
Disclosed
10 Sep, 2020
Published
10 Sep, 2020