Description
A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2021-24045
Patch, Third Party Advisory x_refsource_misc
https://github.com/facebook/hermes/commit/55e1b2343f4deb1a1b5726cfe1e23b2068217ff2
Scores
CVSS v3
9.8
EPSS
0.0055
EPSS Percentile
67.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-843
Status
published
Products (1)
facebook/hermes
< 0.10.0
Published
Dec 13, 2021
Tracked Since
Feb 18, 2026