{"id":"CVE-2020-1896","details":"A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2) allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.","modified":"2026-04-11T16:25:26.975491Z","published":"2021-02-02T07:15:13.333Z","references":[{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2020-1896"},{"type":"FIX","url":"https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hermes","events":[{"introduced":"0"},{"fixed":"0d9a5a169f8bfe6ae1924e7c0fdadc250a13eab0"},{"fixed":"86543ac47e59c522976b5632b8bf9a2a4583c7d2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.5.0"}]}}],"versions":["v0.1.0","v0.1.1","v0.2.1","v0.3.0","v0.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1896.json","vanir_signatures":[{"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["65291890038099781924426883632508187889","299677363361280207878625905950613097760","69186696387276870478546688375186526300","114206067582785678598860175090702756842"]},"target":{"file":"lib/VM/JSLib/HermesBuiltin.cpp"},"id":"CVE-2020-1896-0f06f57e","signature_type":"Line","source":"https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2"},{"signature_version":"v1","deprecated":false,"digest":{"length":1079,"function_hash":"269154751263713584753303437130333606684"},"target":{"function":"hermesBuiltinApply","file":"lib/VM/JSLib/HermesBuiltin.cpp"},"id":"CVE-2020-1896-57eed3a5","signature_type":"Function","source":"https://github.com/facebook/hermes/commit/86543ac47e59c522976b5632b8bf9a2a4583c7d2"},{"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["59904314210841726621628868634318956886","205745905449999141144212965523404656288","102836579593203562967692902390945871995","120266405696978800214908112093566521589","33061459321457223242533016843197181759","276965210844653086103314872401746363436","121449800084972697184823246907957091700","137724114391375106127167225243105084744"]},"target":{"file":"unittests/VMRuntime/HeapSnapshotTest.cpp"},"id":"CVE-2020-1896-8c26ca38","signature_type":"Line","source":"https://github.com/facebook/hermes/commit/0d9a5a169f8bfe6ae1924e7c0fdadc250a13eab0"},{"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["132327419447843386483164957063650858045","212330133676324407519424814799895777986","158194683721155146688377712615393391968","308207807063300310421227680825529662536","141670276976920949295131461585260407782","252253721287428524805769084492107329796","45028296939925412377297414630962461896"]},"target":{"file":"lib/VM/Profiler/InlineCacheProfiler.cpp"},"id":"CVE-2020-1896-eba3805d","signature_type":"Line","source":"https://github.com/facebook/hermes/commit/0d9a5a169f8bfe6ae1924e7c0fdadc250a13eab0"},{"signature_version":"v1","deprecated":false,"digest":{"length":578,"function_hash":"303214076970256173939311261023820653319"},"target":{"function":"InlineCacheProfiler::getRankedInlineCachingMisses","file":"lib/VM/Profiler/InlineCacheProfiler.cpp"},"id":"CVE-2020-1896-fd9ef7fe","signature_type":"Function","source":"https://github.com/facebook/hermes/commit/0d9a5a169f8bfe6ae1924e7c0fdadc250a13eab0"}],"vanir_signatures_modified":"2026-04-11T16:25:26Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}