Comprehensive Technical Analysis of CVE-2023-23557

Hermes JavaScript Engine Type Confusion Vulnerability (Arbitrary Code Execution)

1. Vulnerability Assessment and Severity Evaluation

Overview

CVE-2023-23557 is a critical type confusion vulnerability in Hermes, a JavaScript engine optimized for React Native applications. The flaw resides in the object property copying algorithm, where improper type handling during property assignment can lead to memory corruption, enabling arbitrary code execution (ACE).

Severity Metrics (CVSS v3.1: 9.8)

Metric	Value	Explanation
Attack Vector	Network (AV:N)	Exploitable remotely via malicious JavaScript.
Attack Complexity	Low (AC:L)	No special conditions required.
Privileges Required	None (PR:N)	No authentication needed.
User Interaction	None (UI:N)	Exploitable without user interaction.
Scope	Unchanged (S:U)	Affects the Hermes engine, not the underlying OS.
Confidentiality	High (C:H)	Full memory read/write possible.
Integrity	High (I:H)	Arbitrary code execution achievable.
Availability	High (A:H)	Engine crash or persistent DoS possible.

Risk Classification

• Critical (CVSS 9.8) – High-impact, remotely exploitable, no user interaction required.
• Exploitability Likelihood: High – Type confusion vulnerabilities are historically well-documented (e.g., CVE-2018-17463 in V8) and often weaponized in exploit chains.
• Exploit Maturity: Proof-of-Concept (PoC) likely exists (given the nature of the bug and public patch details).

---

2. Potential Attack Vectors and Exploitation Methods

Attack Surface

The vulnerability is only exploitable in environments where Hermes executes untrusted JavaScript, such as:

• React Native applications that load remote JavaScript (e.g., from a CDN or user-provided input).
• Hybrid mobile apps (e.g., Cordova, Capacitor) using Hermes as the JS engine.
• Server-side JavaScript execution (if Hermes is used in a backend context).

Exploitation Mechanism

1. Type Confusion Primitive

   • The bug occurs in Hermes’ object property copying logic, where a mismatch between expected and actual object types leads to incorrect memory access.
   • An attacker crafts a malicious JavaScript object that triggers the type confusion when properties are copied.

2. Memory Corruption & Arbitrary Read/Write

   • The type confusion allows an attacker to misinterpret memory structures, leading to:
     • Out-of-bounds (OOB) read/write (if the engine uses typed arrays or buffers).
     • Use-after-free (UAF) (if object lifetimes are mismanaged).
   • This can be leveraged to overwrite function pointers, return addresses, or JIT-compiled code.

3. Arbitrary Code Execution (ACE)

   • By corrupting memory, an attacker can:
     • Bypass ASLR/DEP (if applicable).
     • Execute shellcode (e.g., via ROP chains in JIT regions).
     • Escape the JavaScript sandbox (if combined with other vulnerabilities).

Exploitation Requirements

• No user interaction is required if the app loads remote JS (e.g., via eval(), Function(), or dynamic imports).
• No authentication is needed if the app processes untrusted input.
• Mitigations like JIT hardening (e.g., CFI, XOM) may complicate exploitation but are not guaranteed to prevent it.

Example Attack Scenario

1. Victim App: A React Native app loads a malicious JavaScript bundle from a compromised CDN.
2. Exploit Execution:
   • The attacker’s JS triggers the type confusion during property copying.
   • Memory corruption occurs, leading to arbitrary code execution in the Hermes engine’s context.
3. Post-Exploitation:
   • Data exfiltration (e.g., stealing cookies, local storage).
   • Privilege escalation (if combined with a native code vulnerability).
   • Persistence (e.g., modifying app behavior or installing malware).

---

3. Affected Systems and Software Versions

Vulnerable Software

• Hermes JavaScript Engine (versions prior to commit a00d237346894c6067a594983be6634f4168c9ad).
• React Native applications using Hermes if they execute untrusted JavaScript.

Not Affected

• React Native apps that do not load external JS (e.g., fully bundled apps with no eval() or dynamic imports).
• Other JavaScript engines (V8, JavaScriptCore, SpiderMonkey).
• Server-side Hermes usage (unless processing untrusted input).

Patch Status

• Fixed in Hermes commit a00d237346894c6067a594983be6634f4168c9ad (May 2023).
• React Native versions incorporating the patch are no longer vulnerable.

---

4. Recommended Mitigation Strategies

Immediate Actions

1. Apply the Patch

   • Update Hermes to the latest version (post-commit a00d2373).
   • For React Native apps, upgrade to a version that includes the fix (check React Native releases).

2. Disable Hermes (Temporary Workaround)

   • If patching is not immediately possible, disable Hermes in android/app/build.gradle:

     project.ext.react = [
         enableHermes: false
     ]
     

   • Trade-off: Performance degradation (Hermes is optimized for React Native).

3. Sanitize JavaScript Inputs

   • Avoid eval(), Function(), and dynamic import() with untrusted input.
   • Use Content Security Policy (CSP) to restrict script sources:

     <meta http-equiv="Content-Security-Policy" content="script-src 'self'">
     

4. Isolate Untrusted JavaScript

   • Run untrusted JS in a sandboxed WebView (with javascriptEnabled: false for Hermes).
   • Use worker threads with reduced privileges.

Long-Term Defenses

1. Memory Safety Hardening

   • Enable Control-Flow Integrity (CFI) and Code Pointer Integrity (CPI) if supported.
   • Use W^X (Write XOR Execute) memory protections to prevent JIT-based exploits.

2. Runtime Exploit Mitigations

   • Deploy ASAN (AddressSanitizer) or HWASAN in development to detect memory corruption.
   • Use CFG (Control Flow Guard) on Windows or PAC (Pointer Authentication) on ARM.

3. Monitoring & Detection

   • Log and alert on suspicious JavaScript execution (e.g., unexpected eval() calls).
   • Instrument Hermes to detect type confusion attempts (e.g., via custom hooks).

4. Dependency Management

   • Audit third-party libraries for dynamic JS execution.
   • Use dependency scanning tools (e.g., npm audit, Snyk, Dependabot).

---

5. Impact on the Cybersecurity Landscape

Broader Implications

1. Mobile App Security

   • React Native is widely used (e.g., Facebook, Instagram, Shopify), making this a high-impact vulnerability.
   • Hybrid apps (Cordova, Capacitor) may also be affected if they use Hermes.

2. Exploit Development Trends

   • Type confusion vulnerabilities are a favorite target for exploit writers (e.g., Pwn2Own, browser exploits).
   • Weaponization potential is high—similar bugs (e.g., CVE-2021-30632 in V8) have been used in the wild.

3. Supply Chain Risks

   • Compromised CDNs or third-party JS libraries could deliver exploits to millions of users.
   • Malvertising campaigns could leverage this in mobile ad SDKs.

4. Defensive Advancements

   • Hermes may adopt stricter type checking in future versions.
   • React Native security hardening (e.g., default CSP, sandboxing) may improve.

Historical Context

• Similar Vulnerabilities:
  • CVE-2018-17463 (V8 type confusion, exploited in the wild).
  • CVE-2021-30632 (Chrome V8 type confusion, used in Pwn2Own).
• Lessons Learned:
  • JavaScript engines remain high-value targets due to their complexity.
  • Memory safety issues persist despite mitigations (e.g., JIT hardening).

---

6. Technical Details for Security Professionals

Root Cause Analysis

The vulnerability stems from Hermes’ object property copying logic, specifically in how it handles property descriptors when copying from one object to another. The bug manifests when:

1. Type Mismatch in Property Descriptors

   • Hermes fails to properly validate the type of property descriptors during copying.
   • An attacker can craft an object where a property descriptor is misinterpreted (e.g., a DataDescriptor treated as an AccessorDescriptor).

2. Memory Corruption via Type Confusion

   • The engine may incorrectly dereference a pointer, leading to:
     • OOB read/write (if the descriptor is treated as a typed array).
     • UAF (if the object is freed while still referenced).
   • This can be used to overwrite critical structures (e.g., vtables, JIT code).

3. Exploitation via JIT Spraying (Hypothetical)

   • If Hermes uses JIT compilation, an attacker could:
     • Spray JIT memory with controlled data.
     • Corrupt a JIT function pointer to redirect execution.

Patch Analysis

The fix (a00d237346894c6067a594983be6634f4168c9ad) introduces:

• Stricter type checking in hermes::vm::defineProperty().
• Additional validation for property descriptor types before copying.
• Bounds checking to prevent OOB access.

Exploit Development Considerations

1. Triggering the Bug

   • Craft an object with a malformed property descriptor (e.g., mixing value and get/set fields).
   • Use Object.defineProperty() or Object.assign() to trigger the copy.

2. Memory Corruption Primitive

   • Leak a heap address (e.g., via ArrayBuffer or TypedArray).
   • Overwrite a function pointer or return address to gain control.

3. Bypassing Mitigations

   • ASLR Bypass: Leak a library address via WebAssembly.Memory.
   • DEP Bypass: Use JIT spraying or ROP chains in executable memory.

Detection & Forensics

1. Indicators of Compromise (IoCs)

   • Unexpected eval() or Function() calls in app logs.
   • Crashes in Hermes with type confusion signatures (e.g., EXC_BAD_ACCESS on iOS).
   • Suspicious network requests to attacker-controlled JS sources.

2. Memory Forensics

   • Heap analysis for corrupted objects (e.g., using gdb or lldb).
   • JIT memory inspection for injected shellcode.

3. Static & Dynamic Analysis

   • Static: Audit React Native apps for eval() or dynamic imports.
   • Dynamic: Fuzz Hermes with JavaScript test cases to detect crashes.

---

Conclusion

CVE-2023-23557 is a critical type confusion vulnerability in Hermes that enables arbitrary code execution in React Native applications processing untrusted JavaScript. While the impact is limited to apps loading external JS, the high CVSS score (9.8) and historical exploitability of similar bugs make this a serious threat.

Key Takeaways for Security Teams

✅ Patch immediately – Update Hermes and React Native to the latest version. ✅ Audit app dependencies – Remove or sandbox untrusted JavaScript sources. ✅ Harden runtime defenses – Enable CFI, CSP, and memory protections. ✅ Monitor for exploitation – Detect suspicious JS execution patterns.

Given the prevalence of React Native and the ease of exploitation, organizations should treat this vulnerability with high priority in their patch management and threat modeling processes.