CVE-2021-24037: Use After Free
First published: Tue Jun 15 2021(Updated: )
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Hermes | <0.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-24037?
The severity of CVE-2021-24037 is critical with a CVSS score of 9.8.
What is the vulnerability description of CVE-2021-24037?
CVE-2021-24037 is a use after free vulnerability in Hermes, which allows attackers to potentially execute arbitrary code via crafted JavaScript.
How can this vulnerability be exploited?
This vulnerability can be exploited if the application using Hermes permits evaluation of untrusted JavaScript code.
Which software versions are affected by CVE-2021-24037?
Versions up to exclusive 0.8.0 of Facebook Hermes are affected by CVE-2021-24037.
Is there a fix available for CVE-2021-24037?
Yes, the fix for CVE-2021-24037 is available in the commit d86e185e485b6330216dee8e854455c694e3a36e in the Hermes repository.
- collector/nvd-index
- vendor/facebook
- canonical/facebook hermes