CVE-2023-23556

CRITICAL

Facebook Hermes < 2023-02-02 - Remote Code Execution via BigInt Conversion Out-of-Bounds Write

Title source: llm
STIX 2.1

Description

An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. Note that this bug is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

Scores

CVSS v3 9.8
EPSS 0.0089
EPSS Percentile 55.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-787
Status published
Products (1)
facebook/hermes < 2023-02-02
Published May 18, 2023
Tracked Since Feb 18, 2026