CVE-2022-35289

2022-10-1102:15:08

CWE-190

CWE-680

[email protected]

web.nvd.nist.gov

cve-2022-35289

hermes

integer overflow

arbitrary code execution

javascript

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.0%

JSON

A write-what-where condition in hermes caused by an integer overflow, prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374 allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Affected configurations

NVD

Node

facebookhermesRange<0.12.0

CPENameOperatorVersion
facebook:hermesfacebook hermeslt0.12.0

CPE	Name	Operator	Version
facebook:hermes	facebook hermes	lt	0.12.0

CNA Affected

[
  {
    "vendor": "Facebook",
    "product": "Hermes",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]