CVE-2023-24832

A null pointer dereference bug in Hermes prior to commit 5cae9f72975cf0e5a62b27fdd8b01f103e198708 could have been used by an attacker to crash an Hermes runtime where the EnableHermesInternal config option was set to true. Note that this is only exploitable in cases where Hermes is used to execut...

Malicious code in react-xterm2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5f7c63ca98cf3df8c6642ac2a87eb6834e09162e30cd05b50172c8fa4f5cd32 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in garena-react-template-redux (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d59bac5979a72479c1bacdf22d89116f9a1885cc09f00ca01e3717741e177c65 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4394 Malicious code in react-xterm2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a5f7c63ca98cf3df8c6642ac2a87eb6834e09162e30cd05b50172c8fa4f5cd32 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4351 Malicious code in garena-react-template-redux (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d59bac5979a72479c1bacdf22d89116f9a1885cc09f00ca01e3717741e177c65 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2022-40138

An integer conversion error in Hermes bytecode generation, prior to commit 6aa825e480d48127b480b08d13adf70033237097, could have been used to perform Out-Of-Bounds operations and subsequently execute arbitrary code. Note that this is only exploitable in cases where Hermes is used to execute...

CVE-2021-32622

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

CVE-2021-24037

A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of...

CVE-2021-21320

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so...

CVE-2021-41176

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted...

CVE-2021-24045

A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected...

CVE-2020-1911

A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only...

CVE-2020-1915

An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application...

MAL-2025-4158 Malicious code in @rf-ui-platform/react-ui-components (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2025-4157 Malicious code in @rf-auth/rf-auth-react (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in @dailyapy-rn/rn-push-provisioning (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in react-native-scrollpageviewtest (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dcee80fff21305590dcf04ace763231bdd81fcc2ef72bf8492ed79a60a17cd3c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4284 Malicious code in react-native-scrollpageviewtest (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dcee80fff21305590dcf04ace763231bdd81fcc2ef72bf8492ed79a60a17cd3c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4116 Malicious code in react-youtube-dom (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 930546883aa218e28dc95d9e402e8af0737df76f72952337c765ce73ae6fab8f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in react-youtube-dom (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 930546883aa218e28dc95d9e402e8af0737df76f72952337c765ce73ae6fab8f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...