CVE-2020-1896
First published: Tue Feb 02 2021(Updated: )
A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Hermes | <0.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-1896?
CVE-2020-1896 is a stack overflow vulnerability in Facebook Hermes 'builtin apply' that allows attackers to potentially execute arbitrary code via crafted JavaScript.
How severe is CVE-2020-1896?
CVE-2020-1896 has a severity rating of 9.8 (Critical).
Which version of Facebook Hermes is affected by CVE-2020-1896?
Facebook Hermes versions up to and exclusive of 0.5.0 are affected by CVE-2020-1896.
How can an attacker exploit CVE-2020-1896?
An attacker can exploit CVE-2020-1896 by using crafted JavaScript to trigger a stack overflow and potentially execute arbitrary code.
Is there a fix for CVE-2020-1896?
Yes, the fix for CVE-2020-1896 is available in commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 of Facebook Hermes.
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/facebook
- canonical/facebook hermes