CVE-2022-35289

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-35289
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35289.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-35289
Published
2022-10-11T02:15:08Z
Modified
2025-01-08T14:15:12.736179Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A write-what-where condition in hermes caused by an integer overflow, prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

References

Affected packages

Git / github.com/facebook/hermes

Affected ranges

Type
GIT
Repo
https://github.com/facebook/hermes
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

hermes-2022-04-28-RNv0.*

hermes-2022-04-28-RNv0.69.0-15d07c2edd29a4ea0b8f15ab0588a0c1adb1200f

hermes-2022-07-15-RNv0.*

hermes-2022-07-15-RNv0.70.0-88dd5731a19ab6b38b0a0a2d4386ba959f2a2c98

v0.*

v0.1.0
v0.1.1
v0.10.0
v0.11.0
v0.2.1
v0.3.0
v0.4.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.9.0