products / hermes

Hermes

Hermes is Meta's JavaScript engine optimized for React Native startup time and ahead-of-time bytecode. While most users bundle Hermes rather than exposing it directly on the Internet, NVD treats facebook:hermes as a first-class product with clear version ranges spanning both classic semver and Hermes dated release bundles.

api usage

Querying Hermes

product slughermes

version format0.4.2, 0.15.0, semver

bash

curl "https://api.attestd.io/v1/check?product=hermes&version=0.4.2" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Hermes 0.4.2 remains inside NVD ranges for multiple high-severity JIT and memory safety issues from the 2020-era release line. Expect risk_state: "high" or elevated depending on classifier output after synthesis.

json

{
  "product": "hermes",
  "version": "0.4.2",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "remote_code_execution",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "0.4.3",
  "confidence": 0.8,
  "cve_ids": ["CVE-2020-1911"],
  "last_updated": "2026-02-23T18:21:30Z",
  "supply_chain": null
}

safe version

Hermes 0.15.0 has no known relevant vulnerabilities at the time of the last synthesis run.

bash

curl "https://api.attestd.io/v1/check?product=hermes&version=0.15.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

notable cves

CVE history

Hermes CVEs cluster around compiler and runtime memory handling. React Native apps ship Hermes inside the same trust boundary as application JavaScript, so engine-level RCE issues are still material for supply-chain and update hygiene.

CVE	Description	Affects	CVSS
`CVE-2020-1911`	Out-of-bounds write in Hermes compiler chain allowing memory corruption on crafted source input.	< 0.4.3	9.8

All products Node.js Deno Response Field Reference