Login Sign Up

CVE-2023-25933

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

A type confusion vulnerability in Hermes JavaScript engine's TypedArray implementation allows arbitrary code execution when processing untrusted JavaScript. This affects React Native applications using vulnerable Hermes versions to execute untrusted JavaScript code. Most React Native apps are not affected unless they specifically execute untrusted JavaScript.

💻 Affected Systems

Products:
  • Hermes JavaScript engine
  • React Native applications using Hermes
Versions: Hermes versions prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81
Operating Systems: All platforms where Hermes runs (iOS, Android, etc.)
Default Config Vulnerable: ✅ No
Notes: Only exploitable when Hermes executes untrusted JavaScript; most React Native apps don't do this by default.

📦 What is this software?

Hermes by Facebook

View all CVEs affecting Hermes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Limited impact since most React Native apps don't execute untrusted JavaScript; potential compromise in apps with JavaScript evaluation features.

🟢

If Mitigated

No impact if Hermes is not used or if untrusted JavaScript execution is prevented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires delivering malicious JavaScript to a vulnerable Hermes instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hermes commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 or later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2023-25933

Restart Required: Yes

Instructions:

1. Update Hermes to commit e6ed9c1a4b02dc219de1648f44cd808a5617181 or later. 2. Update React Native dependencies to use patched Hermes. 3. Rebuild and redeploy applications.

🔧 Temporary Workarounds

Disable untrusted JavaScript execution

all

Prevent Hermes from executing untrusted JavaScript code in your application.

Use JavaScriptCore instead of Hermes

all

Configure React Native to use JavaScriptCore engine instead of Hermes.

🧯 If You Can't Patch

  • Implement strict input validation for any JavaScript execution
  • Isolate JavaScript execution in sandboxed environments

🔍 How to Verify

Check if Vulnerable:

Check Hermes version in your React Native project: look for Hermes commit hash in dependencies or build configuration.

Check Version:

Check React Native project configuration files (package.json, build.gradle, Podfile) for Hermes version references.

Verify Fix Applied:

Verify Hermes commit is e6ed9c1a4b02dc219de1648f44cd808a56171b81 or later in your build.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected JavaScript evaluation errors
  • Memory access violations in Hermes logs

Network Indicators:

  • Unexpected JavaScript code delivery to application endpoints

SIEM Query:

Search for process creation events from Hermes or React Native with suspicious command-line arguments.

📊 Metadata

CVE ID: CVE-2023-25933
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: May 18, 2023
Last Updated: January 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25933, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)