CVE-2023-24833 – CVE-2023-24833 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-24833?

CVE-2023-24833 has a CVSS score of 7.5 (HIGH). CVE-2023-24833 is a use-after-free vulnerability in Hermes JavaScript engine's BigIntPrimitive addition that allows attackers to leak raw heap data from the Hermes VM. This primarily affects applications using Hermes to execute untrusted JavaScript code. Most React Native applications are not affected since they typically don't execute untrusted JavaScript.

📋 TL;DR

CVE-2023-24833 is a use-after-free vulnerability in Hermes JavaScript engine's BigIntPrimitive addition that allows attackers to leak raw heap data from the Hermes VM. This primarily affects applications using Hermes to execute untrusted JavaScript code. Most React Native applications are not affected since they typically don't execute untrusted JavaScript.

💻 Affected Systems

Products:

Facebook Hermes JavaScript engine

Versions: All versions prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80

Operating Systems: All platforms running Hermes

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when Hermes is used to execute untrusted JavaScript. Most React Native applications are not affected as they typically don't execute untrusted code.

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could leak sensitive data from the Hermes VM heap, potentially exposing application secrets, cryptographic keys, or other sensitive information in memory.

🟠

Likely Case

Information disclosure through heap memory leaks when processing malicious JavaScript in affected Hermes deployments.

🟢

If Mitigated

No impact if Hermes is not used to execute untrusted JavaScript or if the patch is applied.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the ability to execute JavaScript in the Hermes VM context.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hermes commit a6dcafe6ded8e61658b40f5699878cd19a481f80 and later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2023-24833

Restart Required: Yes

Instructions:

1. Update Hermes to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 or later. 2. Rebuild and redeploy applications using Hermes. 3. Restart affected services.

🔧 Temporary Workarounds

Disable untrusted JavaScript execution

all

Prevent execution of untrusted JavaScript in Hermes VM

🧯 If You Can't Patch

Isolate Hermes instances that process untrusted JavaScript
Implement strict input validation and sandboxing for JavaScript execution

🔍 How to Verify

Check if Vulnerable:

Check Hermes version/commit hash against vulnerable range (pre-commit a6dcafe6ded8e61658b40f5699878cd19a481f80)

Check Version:

Check build configuration or package manager for Hermes version

Verify Fix Applied:

Verify Hermes is at commit a6dcafe6ded8e61658b40f5699878cd19a481f80 or later

📡 Detection & Monitoring

Log Indicators:

Unexpected memory access patterns
Hermes process crashes or abnormal behavior

Network Indicators:

Unusual outbound data transfers from Hermes processes

SIEM Query:

Process:hermes AND (EventID:1000 OR Memory:AccessViolation)

📊 Metadata

CVE ID: CVE-2023-24833

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-416

Published: May 18, 2023

Last Updated: January 21, 2025

🔗 References

https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80 Patch
https://www.facebook.com/security/advisories/cve-2023-24833 Patch,Vendor Advisory
https://github.com/facebook/hermes/commit/a6dcafe6ded8e61658b40f5699878cd19a481f80 Patch
https://www.facebook.com/security/advisories/cve-2023-24833 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24833, you might also want to check these: