Login Sign Up

CVE-2023-23556

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

A memory corruption vulnerability in Hermes JavaScript engine allows arbitrary code execution when converting BigInt to Number values. This affects React Native applications using vulnerable Hermes versions to execute untrusted JavaScript. Most React Native apps are unaffected since they typically don't execute untrusted code.

💻 Affected Systems

Products:
  • Hermes JavaScript engine
  • React Native applications using Hermes
Versions: Hermes versions prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80
Operating Systems: All platforms where Hermes runs (iOS, Android, Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Only exploitable when Hermes executes untrusted JavaScript. Most React Native apps don't execute untrusted code.

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service; RCE only in targeted attacks against apps executing untrusted JavaScript.

🟢

If Mitigated

No impact if Hermes isn't used or only trusted JavaScript is executed.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires ability to inject untrusted JavaScript into Hermes runtime.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hermes commit a6dcafe6ded8e61658b40f5699878cd19a481f80 and later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2023-23556

Restart Required: Yes

Instructions:

1. Update Hermes to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 or later. 2. For React Native apps: update Hermes dependency and rebuild application. 3. Redeploy updated applications.

🔧 Temporary Workarounds

Disable untrusted JavaScript execution

all

Prevent execution of untrusted JavaScript in Hermes runtime

Use JavaScriptCore instead of Hermes

all

Switch React Native JavaScript engine to JavaScriptCore (iOS) or V8 (Android)

🧯 If You Can't Patch

  • Isolate applications using vulnerable Hermes versions in network segments
  • Implement strict input validation to prevent untrusted JavaScript injection

🔍 How to Verify

Check if Vulnerable:

Check Hermes version/commit hash in your application. If using React Native, check hermes-engine dependency version.

Check Version:

For React Native: npx react-native info | grep Hermes. For direct Hermes: hermes --version

Verify Fix Applied:

Verify Hermes commit is a6dcafe6ded8e61658b40f5699878cd19a481f80 or later. For React Native apps, verify rebuilt application uses patched Hermes.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected Hermes process termination
  • Unusual JavaScript execution patterns

Network Indicators:

  • Unexpected outbound connections from React Native applications
  • Suspicious JavaScript payloads in application traffic

SIEM Query:

Process:hermes AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2023-23556
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: May 18, 2023
Last Updated: January 31, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23556, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)