CVE-2020-1912 – CVE-2020-1912 is an out-of-bounds read/write vu... (How to Fix)

Q: What is the severity of CVE-2020-1912?

CVE-2020-1912 has a CVSS score of 8.1 (HIGH). CVE-2020-1912 is an out-of-bounds read/write vulnerability in Facebook's Hermes JavaScript engine that could allow attackers to execute arbitrary code via crafted JavaScript. Only applications using Hermes that evaluate untrusted JavaScript are affected, meaning most React Native applications are not vulnerable.

📋 TL;DR

CVE-2020-1912 is an out-of-bounds read/write vulnerability in Facebook's Hermes JavaScript engine that could allow attackers to execute arbitrary code via crafted JavaScript. Only applications using Hermes that evaluate untrusted JavaScript are affected, meaning most React Native applications are not vulnerable.

💻 Affected Systems

Products:

Facebook Hermes JavaScript engine
React Native applications using Hermes

Versions: All versions prior to commit 091835377369c8fd5917d9b87acffa721ad2a168

Operating Systems: All platforms where Hermes runs (Android, iOS, etc.)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if application evaluates untrusted JavaScript. Most React Native apps don't do this by default.

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service; code execution is possible but requires specific conditions.

🟢

If Mitigated

No impact if application doesn't evaluate untrusted JavaScript or uses patched Hermes version.

🌐 Internet-Facing: MEDIUM - Requires untrusted JavaScript evaluation, which is not common in typical React Native deployments.

🏢 Internal Only: LOW - Same constraints apply; internal apps rarely evaluate untrusted JavaScript.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific JavaScript to trigger the out-of-bounds condition in lazily compiled inner generator functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hermes commit 091835377369c8fd5917d9b87acffa721ad2a168 or later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2020-1912

Restart Required: Yes

Instructions:

1. Update Hermes to commit 091835377369c8fd5917d9b87acffa721ad2a168 or later. 2. Rebuild and redeploy React Native applications using the updated Hermes engine. 3. Restart affected applications.

🔧 Temporary Workarounds

Disable untrusted JavaScript evaluation

all

Prevent evaluation of untrusted JavaScript in Hermes engine

Configure application to not use eval(), Function constructor, or similar with untrusted input

🧯 If You Can't Patch

Disable JavaScript evaluation of any untrusted content in applications
Implement strict input validation and sanitization for any JavaScript execution

🔍 How to Verify

Check if Vulnerable:

Check Hermes version/commit hash in application. If using commit prior to 091835377369c8fd5917d9b87acffa721ad2a168, it's vulnerable.

Check Version:

Check application's Hermes version through build configuration or runtime inspection if available.

Verify Fix Applied:

Verify Hermes commit is 091835377369c8fd5917d9b87acffa721ad2a168 or later in application build.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected JavaScript evaluation errors

Network Indicators:

Unusual JavaScript payloads being sent to application endpoints

SIEM Query:

Search for application logs containing 'Hermes', 'JavaScript engine crash', or memory violation errors

📊 Metadata

CVE ID: CVE-2020-1912

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: September 9, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/facebook/hermes/commit/091835377369c8fd5917d9b87acffa721ad2a168 Patch,Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1912 Vendor Advisory
https://github.com/facebook/hermes/commit/091835377369c8fd5917d9b87acffa721ad2a168 Patch,Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1912 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1912, you might also want to check these: