CVE-2023-30470

CRITICAL

Facebook Hermes - Use After Free

Title source: rule

Description

A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled for Hermes prior to commit da8990f737ebb9d9810633502f65ed462b819c09 could have been used by an attacker to achieve remote code execution. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_confirm

https://www.facebook.com/security/advisories/cve-2023-30470

Patch x_refsource_misc

https://github.com/facebook/hermes/commit/da8990f737ebb9d9810633502f65ed462b819c09

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0309

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-416

Status published

Products (1)

facebook/hermes

Published May 18, 2023

Tracked Since Feb 18, 2026