CVE-2022-27810

HIGH

Hermes <0.12.0 - XSS

Title source: llm

Description

It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode (when asserts were enabled). This issue affects Hermes versions prior to v0.12.0.

References (1)

[Third Party Advisory] https://www.facebook.com/security/advisories/cve-2022-27810

Scores

CVSS v3 7.5

EPSS 0.0033

EPSS Percentile 56.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-674

Status published

Products (1)

facebook/hermes < 0.12.0

Published Oct 06, 2022

Tracked Since Feb 18, 2026