CVE-2021-24044: Access of Resource Using Incompatible Type ('Type Confusion')

January 16, 2022 (updated June 22, 2022)

By passing invalid javascript code where await and yield were called upon non-async and non-generator getter/setter functions, Hermes would invoke generator functions and error out on invalid await/yield positions. This could result in segmentation fault as a consequence of type confusion error, with a low chance of RCE. This issue affects Hermes versions prior to v0.10.0.

References

github.com/advisories/GHSA-7mhc-prgv-r3q4
nvd.nist.gov/vuln/detail/CVE-2021-24044
www.facebook.com/security/advisories/cve-2021-24044

Code Behaviors & Features

Detect and mitigate CVE-2021-24044 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →