hermes-engine@0.1.1 vulnerabilities

A JavaScript engine optimized for running React Native on Android

  • latest version

    0.11.0

  • latest non vulnerable version

  • first published

    5 years ago

  • latest version published

    2 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the hermes-engine package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Denial of Service (DoS)

    hermes-engine is an A JavaScript engine optimized for running React Native on Android

    Affected versions of this package are vulnerable to Denial of Service (DoS) by passing invalid JavaScript code where await and yield were called upon non-async and non-generator getter/setter functions. In this case, Hermes would invoke generator functions and error out on invalid await/yield positions. This could result in segmentation fault as a consequence of type confusion error, with a low chance of RCE.

    How to fix Denial of Service (DoS)?

    Upgrade hermes-engine to version 0.10.0 or higher.

    <0.10.0
    • H
    Out-of-Bounds

    hermes-engine is an A JavaScript engine optimized for running React Native on Android

    Affected versions of this package are vulnerable to Out-of-Bounds. An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

    How to fix Out-of-Bounds?

    Upgrade hermes-engine to version 0.8.0 or higher.

    <0.8.0
    • H
    Use After Free

    hermes-engine is an A JavaScript engine optimized for running React Native on Android

    Affected versions of this package are vulnerable to Use After Free. While emitting certain error messages, attackers could potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

    How to fix Use After Free?

    Upgrade hermes-engine to version 0.7.0 or higher.

    <0.7.0
    • M
    Cross-site Scripting (XSS)

    hermes-engine is an A JavaScript engine optimized for running React Native on Android

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A logic vulnerability when handling the SaveGeneratorLong instruction allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

    How to fix Cross-site Scripting (XSS)?

    Upgrade hermes-engine to version 0.7.2 or higher.

    <0.7.2
    • M
    Denial of Service (DoS)

    hermes-engine is an A JavaScript engine optimized for running React Native on Android

    Affected versions of this package are vulnerable to Denial of Service (DoS). An Integer signedness error in the JavaScript Interpreter allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

    How to fix Denial of Service (DoS)?

    Upgrade hermes-engine to version 0.7.0 or higher.

    <0.7.0
    • M
    Out-of-Bounds

    hermes-engine is an A JavaScript engine optimized for running React Native on Android

    Affected versions of this package are vulnerable to Out-of-Bounds. An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

    How to fix Out-of-Bounds?

    Upgrade hermes-engine to version 0.7.0 or higher.

    <0.7.0
    • M
    Prototype Pollution

    hermes-engine is an A JavaScript engine optimized for running React Native on Android

    Affected versions of this package are vulnerable to Prototype Pollution via HostObject computed properties.

    How to fix Prototype Pollution?

    Upgrade hermes-engine to version 0.7.0 or higher.

    <0.7.0