CVE-2023-24832

Name
CVE-2023-24832
Description
A null pointer dereference bug in Hermes prior to commit 5cae9f72975cf0e5a62b27fdd8b01f103e198708 could have been used by an attacker to crash an Hermes runtime where the EnableHermesInternal config option was set to true. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.facebook.com/security/advisories/cve-2023-24832
MISC https://github.com/facebook/hermes/commit/5cae9f72975cf0e5a62b27fdd8b01f103e198708

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:facebook:hermes:*:*:*:*:*:*:*:* hermes >= None < 2023-01-31

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
hermes edge-community 1.9-r9 ScrumpyJack <scrumpyjack@st.ilet.to> possibly vulnerable
hermes 3.18-community 1.9-r9 ScrumpyJack <scrumpyjack@st.ilet.to> possibly vulnerable