CVE-2021-24044
📋 TL;DR
This vulnerability in Hermes JavaScript engine allows attackers to cause type confusion by passing invalid JavaScript code with await/yield calls on non-async/non-generator functions, potentially leading to segmentation faults and remote code execution. It affects applications using Hermes versions before v0.10.0, particularly React Native applications on mobile platforms.
💻 Affected Systems
- Hermes JavaScript engine
- React Native applications using Hermes
📦 What is this software?
Hermes by Facebook
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise of affected applications, potentially allowing attacker to execute arbitrary code in the context of the application.
Likely Case
Application crashes (segmentation faults) causing denial of service and potential data corruption in affected React Native applications.
If Mitigated
With proper input validation and sandboxing, impact limited to application crashes without privilege escalation.
🎯 Exploit Status
Exploitation requires delivering malicious JavaScript to the Hermes engine, which could occur through compromised web content, malicious ads, or other JavaScript injection vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.10.0 and later
Vendor Advisory: https://www.facebook.com/security/advisories/cve-2021-24044
Restart Required: Yes
Instructions:
1. Update Hermes to version 0.10.0 or later. 2. For React Native applications: Update React Native dependencies to use Hermes v0.10.0+. 3. Rebuild and redeploy affected applications.
🔧 Temporary Workarounds
Disable Hermes Engine
allTemporarily disable Hermes JavaScript engine in React Native applications
For React Native: Set 'enableHermes: false' in android/app/build.gradle and iOS project settings
Input Validation
allImplement strict input validation for JavaScript code processed by Hermes
🧯 If You Can't Patch
- Implement network segmentation to isolate affected applications
- Deploy web application firewall (WAF) rules to detect and block suspicious JavaScript patterns
🔍 How to Verify
Check if Vulnerable:
Check Hermes version in application dependencies or runtime. For React Native apps, check hermes-engine version in package.json or build configuration.Check Version:
For React Native: npx react-native info | grep Hermes. For direct Hermes: hermes --versionVerify Fix Applied:
Verify Hermes version is 0.10.0 or higher. Test application with known malicious JavaScript patterns that trigger the vulnerability.📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in application logs
- Unexpected application crashes with JavaScript engine errors
- Type confusion or memory corruption warnings
Network Indicators:
- Unusual JavaScript payloads containing await/yield patterns
- Suspicious JavaScript delivery to mobile applications
SIEM Query:
source="application_logs" AND ("segmentation fault" OR "hermes" OR "type confusion")