CVE-2021-24037 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-24037?

CVE-2021-24037 has a CVSS score of 9.8 (CRITICAL). This CVE describes a use-after-free vulnerability in the Hermes JavaScript engine that could allow attackers to execute arbitrary code by crafting malicious JavaScript. Only applications that evaluate untrusted JavaScript are affected, which excludes most React Native applications. The vulnerability has a critical CVSS score of 9.8 due to its potential for remote code execution.

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Hermes JavaScript engine that could allow attackers to execute arbitrary code by crafting malicious JavaScript. Only applications that evaluate untrusted JavaScript are affected, which excludes most React Native applications. The vulnerability has a critical CVSS score of 9.8 due to its potential for remote code execution.

💻 Affected Systems

Products:

Hermes JavaScript engine
React Native applications using Hermes

Versions: Hermes versions prior to commit d86e185e485b6330216dee8e854455c694e3a36e

Operating Systems: All platforms running Hermes (iOS, Android, etc.)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if application evaluates untrusted JavaScript. Most React Native apps don't do this by default.

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Application crash or denial of service, with potential for limited code execution depending on application context and JavaScript evaluation permissions.

🟢

If Mitigated

No impact if application doesn't evaluate untrusted JavaScript or has been patched.

🌐 Internet-Facing: HIGH for applications that evaluate user-provided JavaScript, LOW for standard React Native apps.

🏢 Internal Only: MEDIUM for internal applications evaluating untrusted JavaScript, LOW otherwise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the application to evaluate attacker-controlled JavaScript, which is not typical for React Native applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hermes commit d86e185e485b6330216dee8e854455c694e3a36e and later

Vendor Advisory: https://www.facebook.com/security/advisories/CVE-2021-24037

Restart Required: Yes

Instructions:

1. Update Hermes to commit d86e185e485b6330216dee8e854455c694e3a36e or later. 2. Update React Native dependencies to use patched Hermes version. 3. Rebuild and redeploy applications. 4. Restart affected services.

🔧 Temporary Workarounds

Disable JavaScript evaluation

all

Prevent evaluation of untrusted JavaScript in applications

Sandbox JavaScript execution

all

Run JavaScript in isolated environments with limited permissions

🧯 If You Can't Patch

Disable evaluation of any untrusted JavaScript in applications
Implement strict input validation and sanitization for any JavaScript processing

🔍 How to Verify

Check if Vulnerable:

Check Hermes version/commit hash in your application. If using React Native, check which Hermes version is bundled.

Check Version:

Check application dependencies or build configuration for Hermes version

Verify Fix Applied:

Verify Hermes commit is d86e185e485b6330216dee8e854455c694e3a36e or later. Test that JavaScript evaluation still works without crashes.

📡 Detection & Monitoring

Log Indicators:

Application crashes related to Hermes or JavaScript evaluation
Unexpected memory access errors in logs

Network Indicators:

Unusual outbound connections from application after JavaScript evaluation

SIEM Query:

Search for process crashes containing 'hermes' or 'JavaScript engine' in application logs

📊 Metadata

CVE ID: CVE-2021-24037

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 15, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36e Patch,Third Party Advisory
https://www.facebook.com/security/advisories/CVE-2021-24037 Vendor Advisory
https://github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36e Patch,Third Party Advisory
https://www.facebook.com/security/advisories/CVE-2021-24037 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24037, you might also want to check these: