GCVE - cpe:2.3:a:facebook:hermes:-:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:facebook:hermes:-:*:*:*:*:*:*:*

part: a version: - update: *

Vendor	Facebook (`c319c35a-3469-5baa-b3bd-8582d1206a92`)
Product	Hermes (`e0e95d03-34e5-5a1a-b1eb-60c308274f0a`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/facebook/hermes`	purl2cpe	2026-06-01 10:11:43.225342

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-30470`	vulnerable	2026-06-03 14:51:52.457294	Details available A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled for Hermes prior to commit da8990f737ebb9d9810633502f65ed462b819c09 could have been used by an attacker to achieve remote code execution. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected. Published: 2023-05-18T21:27:57.350Z Updated: 2025-01-21T20:09:25.765Z Open on db.gcve.eu Reference links https://www.facebook.com/security/advisories/cve-2023-30470 https://github.com/facebook/hermes/commit/da8990f737ebb9d9810633502f65ed462b819c09	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-28081`	vulnerable	2026-06-03 14:51:07.844293	Details available A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after-free and obtain arbitrary code execution via a carefully crafted payload. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected. Published: 2023-05-18T21:26:49.822Z Updated: 2025-01-21T20:16:02.965Z Open on db.gcve.eu Reference links https://www.facebook.com/security/advisories/cve-2023-28081 https://github.com/facebook/hermes/commit/e6ed9c1a4b02dc219de1648f44cd808a56171b81	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-25933`	vulnerable	2026-06-03 14:49:34.326158	Details available A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious attacker to execute arbitrary code via untrusted JavaScript. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected. Published: 2023-05-18T21:24:58.365Z Updated: 2025-01-21T20:20:00.366Z Open on db.gcve.eu Reference links https://www.facebook.com/security/advisories/cve-2023-25933 https://github.com/facebook/hermes/commit/e6ed9c1a4b02dc219de1648f44cd808a56171b81	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.