CVE-2020-1914 – A logic vulnerability in Facebook Hermes JavaSc... (How to Fix)

📋 TL;DR

A logic vulnerability in Facebook Hermes JavaScript engine allows attackers to potentially read out of bounds or execute arbitrary code via crafted JavaScript. This affects applications using Hermes that evaluate untrusted JavaScript. Most React Native applications are not affected since they typically don't evaluate untrusted code.

💻 Affected Systems

Products:

Facebook Hermes JavaScript engine

Versions: All versions prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc

Operating Systems: All platforms running Hermes

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable if application permits evaluation of untrusted JavaScript

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Memory corruption leading to application crash or information disclosure

🟢

If Mitigated

No impact if application doesn't evaluate untrusted JavaScript

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires ability to inject and execute JavaScript in vulnerable Hermes instance

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit b2021df620824627f5a8c96615edbd1eb7fdddfc or later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2020-1914

Restart Required: Yes

Instructions:

1. Update Hermes to commit b2021df620824627f5a8c96615edbd1eb7fdddfc or later
2. Rebuild any applications using Hermes
3. Redeploy updated applications
4. Restart affected services

🔧 Temporary Workarounds

Disable untrusted JavaScript evaluation

all

Prevent evaluation of untrusted JavaScript in Hermes engine

🧯 If You Can't Patch

Implement strict input validation for JavaScript code
Sandbox Hermes execution environment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check Hermes version/commit hash against vulnerable range

Check Version:

Check application dependencies or build configuration for Hermes version

Verify Fix Applied:

Verify Hermes is at commit b2021df620824627f5a8c96615edbd1eb7fdddfc or later

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors
Unexpected JavaScript execution

Network Indicators:

Unusual JavaScript payloads being sent to application

SIEM Query:

Search for application crashes or memory violation events related to Hermes/JavaScript engine

📊 Metadata

CVE ID: CVE-2020-1914

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-670

Published: October 8, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/facebook/hermes/commit/b2021df620824627f5a8c96615edbd1eb7fdddfc Patch,Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1914 Vendor Advisory
https://github.com/facebook/hermes/commit/b2021df620824627f5a8c96615edbd1eb7fdddfc Patch,Third Party Advisory
https://www.facebook.com/security/advisories/cve-2020-1914 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-1914, you might also want to check these: