Product
facebook hhvm
101 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-23864
CVE-2025-67779
CVE-2025-55184
CVE-2025-55183
CVE-2025-55182
CVE-2025-55181
CVE-2023-5654
CVE-2023-44487
CVE-2023-30470
CVE-2023-28081
CVE-2023-25933
CVE-2023-24833
CVE-2023-24832
CVE-2023-23557
CVE-2023-23556
CVE-2022-36937
CVE-2022-4899
CVE-2022-40138
CVE-2022-35289
CVE-2022-32234
CVE-2022-27810
CVE-2021-24044
CVE-2021-24045
CVE-2019-3556
CVE-2021-24036
CVE-2021-24037
CVE-2020-1920
CVE-2021-24028
CVE-2021-24218
CVE-2021-24217
CVE-2021-24029
CVE-2020-1900
CVE-2020-1899
CVE-2020-1898
CVE-2021-24025
CVE-2020-1921
CVE-2020-1919
CVE-2020-1918
CVE-2020-1917
CVE-2020-1916
CVE-2021-24033
CVE-2021-24032
CVE-2021-24031
CVE-2020-1896
CVE-2020-1915
CVE-2020-1914
CVE-2020-1913
CVE-2020-1912
CVE-2020-1911
CVE-2020-1897
CVE-2019-11939
CVE-2019-3553
CVE-2019-11938
CVE-2020-1893
CVE-2020-1892
CVE-2020-1888
CVE-2016-1000109
CVE-2016-1000005
CVE-2016-1000004
CVE-2019-11940
CVE-2019-11936
CVE-2019-11935
CVE-2019-11930
CVE-2016-1000006
CVE-2019-11929
CVE-2019-11926
CVE-2019-11925
CVE-2019-11922
CVE-2019-11921
CVE-2019-3570
CVE-2019-3569
CVE-2019-3565
CVE-2019-3564
CVE-2019-3559
CVE-2019-3558
CVE-2019-3552
CVE-2019-3561
CVE-2019-3557
CVE-2018-6345
CVE-2018-6343
CVE-2018-6342
CVE-2018-6341
CVE-2018-6340
CVE-2018-6337
CVE-2018-6335
CVE-2018-6334
CVE-2018-6332
CVE-2016-6875
CVE-2016-6874
CVE-2016-6873
CVE-2016-6872
CVE-2016-6871
CVE-2016-6870
CVE-2014-9714
CVE-2014-6229
CVE-2014-6228
CVE-2014-5386
CVE-2014-2209
CVE-2014-2208
CVE-2014-6392
CVE-2008-0660
>= 19.0.0 and < 19.0.4
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-pa
all versions
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of ser
>= 19.0.0 and < 19.0.2
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.
>= 19.0.0 and < 19.0.2
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.
all versions
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19
>= 2025.08.25.00 and <= 2025.12.01.00
Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSessio
< 4.28.4
The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content
< 2023.10.16.00
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q
all versions
A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled for Hermes prior to commit
all versions
A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after
all versions
A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious at
< 2023-02-02
A use-after-free in BigIntPrimitive addition in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been us
< 2023-01-31
A null pointer dereference bug in Hermes prior to commit 5cae9f72975cf0e5a62b27fdd8b01f103e198708 could have been used by an attac
< 2023-01-10
An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be use
< 2023-02-02
An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by
< 4.153.4
HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 h
all versions
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to ca
< 2022-09-27
An integer conversion error in Hermes bytecode generation, prior to commit 6aa825e480d48127b480b08d13adf70033237097, could have be
< 0.12.0
A write-what-where condition in hermes caused by an integer overflow, prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374 all
< 0.12.0
An out of bounds write in hermes, while handling large arrays, prior to commit 06eaec767e376bfdb883d912cb15e987ddf2bda1 allows att
< 0.12.0
It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed J
< 0.10.0
By passing invalid javascript code where await and yield were called upon non-async and non-generator getter/setter functions, Her
< 0.10.0
A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0.
< 4.56.2
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pc
< 4.80.5
Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the
< 0.8.0
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows
>= 0.59.0 and < 0.64.1
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use exce
< 2021.02.22.00
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution o
>= 3.0.0 and < 3.0.4
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were
< 3.0.0
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for P
< 2021.03.15.00
A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a
< 4.32.3
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before
< 4.32.3
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization. This type code
< 4.32.3
The fb_unserialize function did not impose a depth limit for nested deserialization. That meant a maliciously constructed string c
< 4.56.3
Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger
< 4.56.3
In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating that the offset i
< 4.56.3
Incorrect bounds calculations in substr_compare could lead to an out-of-bounds read when the second string argument passed in is l
< 4.56.3
In-memory file operations (ie: using fopen on a data URI) did not properly restrict negative seeking, allowing for the reading of
< 4.56.3
xbuf_format_converter, used as part of exif_read_data, was appending a terminating null character to the generated string, but was
< 4.56.2
An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in, resulting in an
< 11.0.4
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command str
>= 1.4.1 and < 1.4.9
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created o
< 1.4.1
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permission
< 0.5.0
A stack overflow vulnerability in Facebook Hermes 'builtin apply' prior to commit 86543ac47e59c522976b5632b8bf9a2a4583c7d2 (https:
< 2020-09-25
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 al
< 2020-10-01
A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c9661
<= 0.4.3
An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71
<= 0.4.3
An out-of-bounds read/write vulnerability when executing lazily compiled inner generator functions in Facebook Hermes prior to com
< 0.4.3
A type confusion vulnerability when resolving properties of JavaScript objects with specially-crafted prototype chains in Facebook
< 2020.05.18.00
A use-after-free is possible due to an error in lifetime management in the request adaptor when a malicious client invokes request
< 2020.03.16.00
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a
< 2020.02.03.00
C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a re
< 2019.12.09.00
Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a r
< 4.8.7
Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue aff
< 4.8.7
Insufficient boundary checks when decoding JSON in JSON_parser allows read access to out of bounds memory, potentially leading to
< 4.8.7
Insufficient boundary checks when decoding JSON in handleBackslash reads out of bounds memory, potentially leading to DOS. This is
< 3.9.6
HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from
< 3.9.5
mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types
< 3.9.5
Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This i
>= 0.29.0 and <= 2017.04.03.00
In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations can place
< 3.30.12
Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHV
< 3.30.12
Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects
< 3.30.12
An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue a
< 3.12.11
hhvm before 3.12.11 has a use-after-free in the serialize_memoize_param() and ResourceBundle::__construct() functions.
< 3.30.10
Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentiall
<= 3.30.9
Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bou
<= 3.30.9
Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds m
< 1.3.8
A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes
< 2019.07.22.00
An out of bounds write is possible via a specially crafted packet in certain configurations of Proxygen due to improper handling o
<= 3.30.5
Call to the scrypt_enc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This
<= 3.30.5
HHVM, when used with FastCGI, would bind by default to all available interfaces. This behavior could allow a malicious individual
< 2019.05.06.00
Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields o
< 2019.03.04.00
Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicio
< 2019.02.18.00
Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malic
< 2019.02.18.00
Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, mal
< 2019.02.18.00
C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. As a r
<= 3.27.7
Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory. This affects all support
<= 3.27.4
The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently
<= 3.27.5
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The
>= 2018.10.29.00 and < 2018.11.19.00
Proxygen fails to validate that a secondary auth manager is set before dereferencing it. That can cause a denial of service issue
>= 1.0.0 and < 1.0.4
react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launc
>= 16.0.0 and < 16.0.1
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-t
<= 3.27.4
The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over
>= 3.26 and < 3.26.3
folly::secureRandom will re-use a buffer between parent and child processes when fork() is called. That will result in multiple fo
<= 3.21.10
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-
<= 3.21.9
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared e
<= 3.21.7
A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disprop
<= 3.14.5
Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.
<= 3.14.5
The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, re
<= 3.14.5
Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.
<= 3.14.5
Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vec
<= 3.14.5
Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which t
<= 3.14.5
Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.1
<= 3.4.2
Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveAddVar function in HHVM (aka the HipHop Virtual Machine) befo
<= 3.2.0
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects
<= 3.2.0
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM)
<= 3.2.0
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 doe
<= 3.0.1
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp a
<= 2.4.1
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual
all versions
Cross-site scripting (XSS) vulnerability in the Facebook app 14.0 and the Facebook Messenger app 10.0 for iOS allows remote attack
all versions
Multiple stack-based buffer overflows in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.6.17.0, 4.5.70.0, and 4.5.1