Miggo Logo
Miggo Vulnerability Database
CVE-2020-1911

CVE-2020-1911: Access of Resource Using Incompatible Type in Facebook Hermes

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-1911
GHSA ID
GHSA-f5x2-xv93-4p23
EPSS Score
0.76203%
CWE
CWE-843
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
hermes-enginenpm<= 0.4.30.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a critical fix in JSObject.cpp where the HostObject cast source was changed from 'selfHandle' to 'propObj'. This directly addresses a type confusion scenario where the receiver object was improperly used instead of the prototype chain's actual property holder when resolving computed properties. The added test case in testlib.cpp validates prototype chain handling for HostObjects, confirming the attack vector involves prototype manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* typ* *on*usion vuln*r**ility w**n r*solvin* prop*rti*s o* J*v*S*ript o*j**ts wit* sp**i*lly-*r**t** prototyp* ***ins in *****ook **rm*s prior to *ommit **************************************** *llows *tt**k*rs to pot*nti*lly *x**ut* *r*itr*ry *o**

Reasoning

T** *ommit *i** s*ows * *riti**l *ix in `JSO*j**t.*pp` w**r* t** `*ostO*j**t` **st sour** w*s ***n*** *rom 's*l***n*l*' to 'propO*j'. T*is *ir**tly ***r*ss*s * typ* *on*usion s**n*rio w**r* t** r***iv*r o*j**t w*s improp*rly us** inst*** o* t** proto
CVE-2020-1911: Hermes JS Type Confusion RCE | Miggo