Login Sign Up

CVE-2021-24045

9.8 CRITICAL

📋 TL;DR

A type confusion vulnerability in Facebook Hermes JavaScript engine prior to v0.10.0 could allow arbitrary code execution when processing untrusted JavaScript. Only applications that evaluate untrusted JavaScript code are affected, which excludes most React Native applications that don't execute user-provided code.

💻 Affected Systems

Products:
  • Facebook Hermes JavaScript engine
  • React Native applications using Hermes
Versions: All versions prior to v0.10.0
Operating Systems: Android, iOS, Windows, macOS, Linux
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if application explicitly evaluates untrusted JavaScript using Hermes engine.

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service in React Native apps; code execution only in apps that evaluate untrusted JavaScript.

🟢

If Mitigated

No impact if application doesn't evaluate untrusted JavaScript or is properly patched.

🌐 Internet-Facing: MEDIUM - Only exploitable if application evaluates untrusted JavaScript from external sources.
🏢 Internal Only: LOW - Most React Native apps don't evaluate untrusted code internally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires the application to process malicious JavaScript, which is not the default behavior for most React Native apps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hermes v0.10.0 and later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2021-24045

Restart Required: Yes

Instructions:

1. Update Hermes dependency to v0.10.0 or later in package.json. 2. Run npm/yarn install. 3. Rebuild and redeploy React Native application. 4. Restart application services.

🔧 Temporary Workarounds

Disable JavaScript evaluation

all

Prevent evaluation of untrusted JavaScript in your application

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for any JavaScript evaluation
  • Isolate the JavaScript evaluation in a sandboxed environment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check package.json for Hermes version <0.10.0 or examine application dependencies

Check Version:

npm list hermes-engine or check package.json for hermes-engine version

Verify Fix Applied:

Verify Hermes version is >=0.10.0 in package.json and node_modules/hermes-engine/package.json

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with Hermes-related errors
  • Unexpected JavaScript evaluation attempts

Network Indicators:

  • Unusual outbound connections from React Native application

SIEM Query:

Search for process crashes containing 'hermes' or 'JavaScriptCore' in application logs

📊 Metadata

CVE ID: CVE-2021-24045
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: December 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24045, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)