CVE-2023-23556
First published: Thu May 18 2023(Updated: )
An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. Note that this bug is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Hermes | <2023-02-02 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-23556?
The severity of CVE-2023-23556 is critical with a severity value of 9.8.
How does CVE-2023-23556 impact Hermes?
CVE-2023-23556 could be used by a malicious attacker to execute arbitrary code due to an out-of-bound write in Hermes.
Is CVE-2023-23556 exploitable in all cases where Hermes is used?
CVE-2023-23556 is only exploitable in cases where Hermes is used to execute untrusted JavaScript code.
How can I fix CVE-2023-23556?
To fix CVE-2023-23556, it is recommended to update Hermes to a version that includes the fix commit a6dcafe6ded8e61658b40f5699878cd19a481f80.
Where can I find more information about CVE-2023-23556?
More information about CVE-2023-23556 can be found in the references: [GitHub](https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80) and [Facebook Security Advisories](https://www.facebook.com/security/advisories/cve-2023-23556).
- collector/nvd-index
- agent/references
- agent/author
- agent/weakness
- agent/severity
- vendor/facebook
- canonical/facebook hermes