CVE-2022-40138 An integer conversion error in Hermes bytecode generation could have been used to perform Out-Of-Bounds operations and execute arbitrary code.

However, the issue could potentially be exploited in cases where the application relies on custom JavaScript code that is executed by React Native. The issue was discovered by researchers at Proof Security, who published details of the bug on GitHub.
With the help of this public disclosure, it’s possible for any user to fix the issue by updating to the latest version of React Native. A public patch has been released, you can install it by following the instructions here. It would be wise to update React Native as soon as possible, in order to prevent any potential exploitation of this critical security flaw.

Summary of covered vulnerabilities

This blog post is about the vulnerability CVE-2022-40138, which was patched by React Native.

How to update React Native?

React Native is a cross-platform mobile development framework that allows you to build native apps with JavaScript. It’s the most popular mobile app development framework in 2018, and it allows developers to split their code into modules, so they can create native components without actually needing to know a lot about code.
However, it’s important for developers to be aware of open security vulnerabilities, because you never know when someone will exploit them. This means that React Native could potentially be vulnerable if an attacker finds a way to write malicious JavaScript code. For example, this type of attack would allow an attacker to access any application on your device.
In order to update React Native, the developer simply needs to install the latest version of the framework, which has already been patched for this issue by Proof Security and will not allow any exploitation.

How to Update React Native?

To update React Native, you'll need to perform the following steps:
1. Navigate to the GitHub page for your application and find the link at the top of the page labeled "React Native."
2. Click on "React Native," and then click on "Clone or download."
3. On the next screen, click on "Download ZIP" and save it somewhere on your computer.
4. Open a command line in Windows, or open Terminal in macOS, Linux, or Unix-based systems (e.g., MacOS or Ubuntu).
5. Type npm install -g react-native-cli@latest at the command prompt to install Reagent Native CLI globally on your computer.
6. Navigate back to your app's GitHub repo, open a new terminal window so that you can avoid overwriting any changes made to it by other developers, and execute this command: react-native run-i386 --android --device=

Update React Native to version 0.57 .0

UPDATE: Facebook has released a patch that fixes this flaw. You can find the patch or update instructions on their blog.
RECOMMENDED: Update React Native to version 0.57.0

Timeline

Published on: 10/11/2022 02:15:00 UTC
Last modified on: 10/11/2022 19:10:00 UTC

References