CVE-2023-23557
Last modified
CVE-2023-23557 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. EPSS estimates a 0.89% chance of exploitation in the next 30 days.
Description
An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Hermes | < 2023-01-10 |
References
- https://github.com/facebook/hermes/commit/a00d237346894c6067a594983be6634f4168c9adPatch, Vendor Advisory
- https://www.facebook.com/security/advisories/cve-2023-23557Patch, Vendor Advisory
- https://github.com/facebook/hermes/commit/a00d237346894c6067a594983be6634f4168c9adPatch, Vendor Advisory
- https://www.facebook.com/security/advisories/cve-2023-23557Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-23557?
How severe is CVE-2023-23557?
How do I fix CVE-2023-23557?
Are you affected by CVE-2023-23557?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST