CVE-2020-1913
HIGHFacebook Hermes < 0.4.3 / hermes-engine < 0.5.2 - DoS or RCE via Integer Signedness Error
Title source: llmDescription
An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2020-1913
Patch, Third Party Advisory x_refsource_confirm
https://github.com/facebook/hermes/commit/2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6
Scores
CVSS v3
8.1
EPSS
0.0120
EPSS Percentile
64.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-681
CWE-195
Status
published
Products (2)
facebook/hermes
< 0.4.3
npm/hermes-engine
0 - 0.5.2npm
Published
Sep 09, 2020
Tracked Since
Feb 18, 2026