CVE-2020-1911 – A type confusion vulnerability in Facebook's He... (How to Fix)

Q: What is the severity of CVE-2020-1911?

CVE-2020-1911 has a CVSS score of 9.8 (CRITICAL). A type confusion vulnerability in Facebook's Hermes JavaScript engine allows attackers to potentially execute arbitrary code by crafting malicious JavaScript objects with specially-designed prototype chains. This affects applications using vulnerable versions of Hermes that permit evaluation of untrusted JavaScript. Most React Native applications are not affected because they typically don't evaluate untrusted JavaScript.

📋 TL;DR

A type confusion vulnerability in Facebook's Hermes JavaScript engine allows attackers to potentially execute arbitrary code by crafting malicious JavaScript objects with specially-designed prototype chains. This affects applications using vulnerable versions of Hermes that permit evaluation of untrusted JavaScript. Most React Native applications are not affected because they typically don't evaluate untrusted JavaScript.

💻 Affected Systems

Products:

Facebook Hermes
React Native applications using Hermes

Versions: All versions prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da

Operating Systems: All platforms running Hermes (Android, iOS, Linux, Windows)

Default Config Vulnerable: ✅ No

Notes: Only exploitable if application permits evaluation of untrusted JavaScript. Most React Native apps don't do this by default.

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service; RCE only if application specifically evaluates untrusted JavaScript.

🟢

If Mitigated

No impact if application doesn't evaluate untrusted JavaScript or is properly patched.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the application to process untrusted JavaScript, which is not the default for most Hermes implementations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit fe52854cdf6725c2eaa9e125995da76e6ceb27da and later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2020-1911

Restart Required: Yes

Instructions:

1. Update Hermes to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da or later. 2. For React Native apps: Update to a version that includes the patched Hermes engine. 3. Rebuild and redeploy applications.

🔧 Temporary Workarounds

Disable JavaScript evaluation

all

Prevent applications from evaluating untrusted JavaScript code

Network segmentation

all

Isolate applications using Hermes from untrusted networks

🧯 If You Can't Patch

Disable evaluation of any untrusted JavaScript in applications
Implement strict input validation and sandboxing for JavaScript execution

🔍 How to Verify

Check if Vulnerable:

Check Hermes version/commit hash against vulnerable range. For React Native apps: check if using vulnerable Hermes version.

Check Version:

Check application dependencies for Hermes version or commit hash

Verify Fix Applied:

Verify Hermes is at commit fe52854cdf6725c2eaa9e125995da76e6ceb27da or later. Test that JavaScript evaluation functions properly without crashes.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Memory access violation errors
Unusual JavaScript evaluation patterns

Network Indicators:

Unexpected network connections from Hermes processes
Suspicious JavaScript payloads in application traffic

SIEM Query:

Search for process crashes related to Hermes or JavaScript engine, or unexpected outbound connections from applications using Hermes

📊 Metadata

CVE ID: CVE-2020-1911

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: September 4, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/facebook/hermes/commit/fe52854cdf6725c2eaa9e125995da76e6ceb27da Patch,Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1911 Third Party Advisory
https://github.com/facebook/hermes/commit/fe52854cdf6725c2eaa9e125995da76e6ceb27da Patch,Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1911 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1911, you might also want to check these: