{"id":"CVE-2021-24045","details":"A type confusion vulnerability could be triggered when resolving the \"typeof\" unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.","modified":"2026-04-11T13:53:55.377360Z","published":"2021-12-13T21:15:08.923Z","references":[{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2021-24045"},{"type":"FIX","url":"https://github.com/facebook/hermes/commit/55e1b2343f4deb1a1b5726cfe1e23b2068217ff2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/hermes","events":[{"introduced":"0"},{"fixed":"98f5028619294b6b14cddf5903a0f831d0edef9c"},{"fixed":"55e1b2343f4deb1a1b5726cfe1e23b2068217ff2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.10.0"}]}}],"versions":["v0.1.0","v0.1.1","v0.2.1","v0.3.0","v0.4.0","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v0.9.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T13:53:55Z","vanir_signatures":[{"signature_type":"Function","target":{"function":"hermes::evalUnaryOperator","file":"lib/IR/IREval.cpp"},"id":"CVE-2021-24045-18d585de","deprecated":false,"source":"https://github.com/facebook/hermes/commit/55e1b2343f4deb1a1b5726cfe1e23b2068217ff2","signature_version":"v1","digest":{"function_hash":"210189128054367564957160263332755954752","length":1593}},{"signature_type":"Function","target":{"function":"createObjectConstructor","file":"lib/VM/JSLib/Object.cpp"},"id":"CVE-2021-24045-2abf4027","deprecated":false,"source":"https://github.com/facebook/hermes/commit/98f5028619294b6b14cddf5903a0f831d0edef9c","signature_version":"v1","digest":{"function_hash":"28119057494351730174264949473428385543","length":4517}},{"signature_type":"Line","target":{"file":"lib/VM/JSLib/Object.cpp"},"id":"CVE-2021-24045-3fe77b4f","deprecated":false,"source":"https://github.com/facebook/hermes/commit/98f5028619294b6b14cddf5903a0f831d0edef9c","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["156164893267926276119498081931587824656","130702755843183064893722258247476490947","187778433998099261786328089378702710635","325593157944680459102889579367643710387"]}},{"signature_type":"Line","target":{"file":"lib/IR/IREval.cpp"},"id":"CVE-2021-24045-86b84167","deprecated":false,"source":"https://github.com/facebook/hermes/commit/55e1b2343f4deb1a1b5726cfe1e23b2068217ff2","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["318557679244333546349812987575074249562","237607294457643462554712443821820446880","318253231071571976976921282638770343067","225974687793471217526900685326065131464"]}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-24045.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}