CVE-2023-23557
First published: Thu May 18 2023(Updated: )
An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Hermes | <2023-01-10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-23557?
CVE-2023-23557 is a vulnerability in Hermes' algorithm for copying objects properties that could allow a malicious attacker to execute arbitrary code via type confusion.
How severe is CVE-2023-23557?
CVE-2023-23557 has a severity rating of critical with a score of 9.8 out of 10.
Which software is affected by CVE-2023-23557?
Hermes versions up to and excluding 2023-01-10 are affected by CVE-2023-23557.
How can CVE-2023-23557 be exploited?
CVE-2023-23557 can only be exploited in cases where Hermes is used to execute untrusted JavaScript code.
How can I fix CVE-2023-23557?
To fix CVE-2023-23557, update Hermes to a version excluding 2023-01-10 or apply the necessary patches provided by the vendor.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/event
- agent/author
- agent/severity
- agent/description
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- vendor/facebook
- canonical/facebook hermes