Critical severityNVD Advisory· Published Sep 4, 2020· Updated Aug 4, 2024

CVE-2020-1911

Description

A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook Hermes prior to commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A type confusion bug in Facebook Hermes before commit fe52854cdf6725c2eaa9e125995da76e6ceb27da allows arbitrary code execution via crafted JavaScript with specially-designed prototype chains.

Vulnerability

Details

CVE-2020-1911 is a type confusion vulnerability within Facebook Hermes, a JavaScript engine designed for mobile applications. The bug occurs during property resolution of JavaScript objects that have specially-crafted prototype chains, leading to type confusion in the interpreter [1][3]. The root cause was addressed in commit fe52854cdf6725c2eaa9e125995da76e6ceb27da, which corrected property lookup on HostObject computed properties [2].

Exploitation

Vector

Exploitation requires the ability to evaluate untrusted JavaScript within an application using Hermes. An attacker must supply a JavaScript snippet that constructs objects with malicious prototype chains to trigger the type confusion [1][3]. The vulnerability does not require authentication beyond the ability to execute arbitrary scripts in the context of the Hermes runtime. The commit diff shows a test case demonstrating that a specially crafted prototype chain can cause Hermes to incorrectly resolve a property like Symbol.toPrimitive on a HostObject [2].

Impact

Successful exploitation could allow an attacker to achieve arbitrary code execution within the Hermes engine's process [1][3]. However, the official advisory notes that most React Native applications are not affected because they do not permit evaluation of untrusted JavaScript [1][3].

Mitigation

The vulnerability is patched in all versions of Facebook Hermes built from commit fe52854cdf6725c2eaa9e125995da76e6ceb27da or later [2]. Developers using Hermes should update to the latest version. As a general precaution, applications that evaluate untrusted JavaScript should restrict the input to prevent exploitation.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
hermes-enginenpm	< 0.5.2	0.5.2

Affected products

ghsa-coords
pkg:npm/hermes-engine
Range: < 0.5.2
Facebook/Hermesv5
Range: commit prior to fe52854cdf6725c2eaa9e125995da76e6ceb27da

Patches

fe52854cdf67

[CVE-2020-1911] Look up HostObject computed properties on the right object in the prototype chain.

https://github.com/facebook/hermesMarc HorowitzAug 26, 2020via ghsa

commit

2 files changed · +18 −1

API/jsi/jsi/test/testlib.cpp+17 −0 modified

@@ -394,6 +394,23 @@ TEST_P(JSITest, HostObjectTest) {
                    .getBool());
 }
 
+TEST_P(JSITest, HostObjectProtoTest) {
+  class ProtoHostObject : public HostObject {
+    Value get(Runtime& rt, const PropNameID&) override {
+      return String::createFromAscii(rt, "phoprop");
+    }
+  };
+
+  rt.global().setProperty(
+      rt,
+      "pho",
+      Object::createFromHostObject(rt, std::make_shared<ProtoHostObject>()));
+
+  EXPECT_EQ(
+      eval("({__proto__: pho})[Symbol.toPrimitive]").getString(rt).utf8(rt),
+      "phoprop");
+}
+
 TEST_P(JSITest, ArrayTest) {
   eval("x = {1:2, '3':4, 5:'six', 'seven':['eight', 'nine']}");

lib/VM/JSObject.cpp+1 −1 modified

@@ -1173,7 +1173,7 @@ CallResult<PseudoHandle<>> JSObject::getComputedWithReceiver_RJS(
   } else if (desc.flags.hostObject) {
     SymbolID id{};
     LAZY_TO_IDENTIFIER(runtime, nameValPrimitiveHandle, id);
-    auto propRes = vmcast<HostObject>(selfHandle.get())->get(id);
+    auto propRes = vmcast<HostObject>(propObj.get())->get(id);
     if (propRes == ExecutionStatus::EXCEPTION)
       return ExecutionStatus::EXCEPTION;
     return createPseudoHandle(*propRes);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-f5x2-xv93-4p23ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-1911ghsaADVISORY
github.com/facebook/hermes/commit/fe52854cdf6725c2eaa9e125995da76e6ceb27daghsax_refsource_CONFIRMWEB
www.facebook.com/security/advisories/cve-2020-1911ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000