9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-24037

GHSA ID

GHSA-mph8-6787-r8hw

EPSS Score

0.66479%

CWE

CWE-416

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-24037

CVE-2021-24037: Use After Free in Hermes

A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-24037

CVE-2021-24037:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-24037

GHSA ID

GHSA-mph8-6787-r8hw

EPSS Score

0.66479%

CWE

CWE-416

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hermes-engine	npm	<= 0.7.2	0.8.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two interrelated issues:

In Interpreter.cpp, transientObjectPutErrorMessage called getUTF16Ref twice with the same 'tmp' allocator. The first call's UTF16Ref became invalid after the second append.
StringView.h's getUTF16Ref implementation permitted non-empty allocators, enabling this unsafe reuse. The patch adds an assertion enforcing empty allocators and splits the buffers in transientObjectPutErrorMessage. The commit message explicitly identifies transientObjectPutErrorMessage as the trigger location, while the getUTF16Ref precondition violation enabled the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-24037: Use After Free in Hermes

CVE-2021-24037:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

9.8

9.8

CVE-2021-24037: Use After Free in Hermes

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI