CVE-2020-1913

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-1913
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1913.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-1913
Aliases
Published
2020-09-09T19:15:21Z
Modified
2025-10-21T05:44:53.309237Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

References

Affected packages

Git / github.com/facebook/hermes

Affected ranges

Type
GIT
Repo
https://github.com/facebook/hermes
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6

Affected versions

v0.*

v0.1.0
v0.1.1
v0.2.1
v0.3.0
v0.4.0
v0.5.0
v0.6.0

Database specific

vanir_signatures

[
    {
        "id": "CVE-2020-1913-2a7576a5",
        "source": "https://github.com/facebook/hermes/commit/2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6",
        "digest": {
            "line_hashes": [
                "269855236786415552897600691540973001776",
                "177911722898958163395498130285053245701",
                "323305219191426086056088233757066307798",
                "39448789090986036212948688995972952205",
                "157409732076311284422209343788055103811"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "lib/VM/Interpreter.cpp"
        },
        "signature_type": "Line",
        "deprecated": false
    }
]