VYPR
← All advisories
High severityNVD Advisory· Published Sep 9, 2020· Updated Aug 4, 2024

CVE-2020-1913

CVE-2020-1913

Description

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer signedness error in Hermes JavaScript interpreter can cause DoS or RCE via crafted JavaScript, but only if untrusted code is evaluated.

Vulnerability

Overview CVE-2020-1913 is an integer signedness error in the JavaScript interpreter of Facebook Hermes, a JavaScript engine optimized for React Native. The error occurs when handling certain switch-case statements, specifically related to backward branching in the SwitchImm instruction [3]. This flaw allows an attacker to craft specially designed JavaScript that triggers undefined behavior.

Exploitation

Prerequisites Exploitation requires the application using Hermes to permit evaluation of untrusted JavaScript code [1][2]. For most React Native applications, which typically execute only trusted code, this vulnerability is not exploitable. An attacker would need a scenario where arbitrary or user-supplied JavaScript can be executed, such as a developer tool or a misconfigured environment.

Impact

A successful exploit can lead to a denial of service (DoS) condition or potentially remote code execution (RCE) [1][2]. The denial of service is likely due to crashes from memory corruption, while RCE could be achieved by leveraging the signedness error to manipulate execution flow.

Mitigation

The vulnerability has been patched in commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 [3]. Users of Hermes should update to a version including this commit or later. No workarounds are mentioned for products that cannot be updated, though the limited attack surface reduces practical risk for typical deployments.

References
  1. NVD - CVE-2020-1913
  2. Facebook
  3. Fix backward branching in SwitchImm. · facebook/hermes@2c7af7e

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
hermes-enginenpm
< 0.5.20.5.2

Affected products

2
  • ghsa-coords
    pkg:npm/hermes-engine
    Range: < 0.5.2
  • Facebook/Hermesv5
    Range: commit prior to 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6

Patches

1
2c7af7ec481c

Fix backward branching in SwitchImm.

https://github.com/facebook/hermesAakash PatelAug 14, 2020via ghsa
commit
3 files changed · +82 2
  • lib/VM/Interpreter.cpp+3 2 modified
    @@ -3387,8 +3387,9 @@ CallResult<HermesValue> Interpreter::interpretFunction(
                 (const uint8_t *)ip + ip->iSwitchImm.op2, sizeof(uint32_t));
 
             // Read the offset from the table.
-            const uint32_t *loc =
-                (const uint32_t *)tablestart + uintVal - ip->iSwitchImm.op4;
+            // Must be signed to account for backwards branching.
+            const int32_t *loc =
+                (const int32_t *)tablestart + uintVal - ip->iSwitchImm.op4;
 
             ip = IPADD(*loc);
             DISPATCH;
  • test/hermes/switch-regress1.js+43 0 added
    @@ -0,0 +1,43 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// RUN: %hermes -O0 %s | %FileCheck --match-full-lines %s
+// RUN: %hermes -O %s | %FileCheck --match-full-lines %s
+// RUN: %hermes -O -emit-binary -out %t.hbc %s && %hermes %t.hbc | %FileCheck --match-full-lines %s
+
+// Ensure that switch statements that are backwards branches work properly.
+
+(function() {
+  var j = 0;
+  for (var i = 0; i < 4; i++) {
+    ++j;
+    if (j > 5) {
+      return;
+    }
+    print(i);
+    switch (i) {
+      case 0:
+      case 1:
+      case 2:
+      case 3:
+      case 4:
+      case 5:
+      case 6:
+      case 7:
+      case 8:
+      case 9:
+        break;
+    }
+    i = 2;
+  }
+})();
+
+// CHECK: 0
+// CHECK: 3
+// CHECK: 3
+// CHECK: 3
+// CHECK: 3
  • test/Optimizer/switch_stmt.js+36 0 added
    @@ -0,0 +1,36 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// RUN: %hermes -O -dump-ir %s | %FileCheck %s
+
+function backwards_branch() {
+  for (var i = 0; i < 4; i++) {
+    switch (i) {
+      case 0:
+      case 1:
+      case 2:
+      case 3:
+      case 4:
+      case 5:
+      case 6:
+      case 7:
+      case 8:
+      case 9:
+        break;
+    }
+    i = 2;
+  }
+}
+
+// CHECK-LABEL: function backwards_branch() : undefined
+// CHECK-NEXT: frame = []
+// CHECK-NEXT: %BB0:
+// CHECK-NEXT:   %0 = BranchInst %BB1
+// CHECK-NEXT: %BB1:
+// CHECK-NEXT:   %1 = PhiInst 0 : number, %BB0, 3 : number, %BB1
+// CHECK-NEXT:   %2 = SwitchInst %1 : number, %BB1, 0 : number, %BB1, 1 : number, %BB1, 2 : number, %BB1, 3 : number, %BB1, 4 : number, %BB1, 5 : number, %BB1, 6 : number, %BB1, 7 : number, %BB1, 8 : number, %BB1, 9 : number, %BB1
+// CHECK-NEXT: function_end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.