Login Sign Up

CVE-2020-12079

10.0 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-12079 is a critical sandbox escape vulnerability in Beaker Browser versions before 0.8.9 that allows attackers to bypass Electron's security sandbox and execute arbitrary system code. This occurs due to missing context isolation enabling prototype pollution attacks against Electron's internal messaging API. Users running vulnerable Beaker Browser versions are affected.

💻 Affected Systems

Products:
  • Beaker Browser
Versions: All versions before 0.8.9
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All standard installations of Beaker Browser before 0.8.9 are vulnerable by default.

📦 What is this software?

Beaker by Beakerbrowser

View all CVEs affecting Beaker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's machine, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to malware installation, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if browser is run with minimal privileges and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Beaker Browser is typically used to access web content, making it directly exposed to malicious websites.
🏢 Internal Only: MEDIUM - Risk exists if users visit compromised internal sites or attacker gains internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to visit a malicious website but no authentication or user interaction beyond browsing is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.9 and later

Vendor Advisory: https://github.com/beakerbrowser/beaker/releases/tag/0.8.9

Restart Required: Yes

Instructions:

1. Download Beaker Browser 0.8.9 or later from official sources. 2. Uninstall previous version. 3. Install new version. 4. Restart system to ensure clean state.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript execution in Beaker Browser to prevent exploitation

Use Alternative Browser

all

Switch to a different browser until Beaker is updated

🧯 If You Can't Patch

  • Run Beaker Browser with minimal user privileges (non-admin account)
  • Implement network segmentation to isolate Beaker Browser from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Beaker Browser version in Help > About or settings menu. If version is below 0.8.9, system is vulnerable.

Check Version:

On Linux/macOS: check application info. On Windows: check program details in Control Panel.

Verify Fix Applied:

Confirm version is 0.8.9 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from Beaker Browser
  • Suspicious network connections from browser process
  • File system modifications by browser process

Network Indicators:

  • Outbound connections to suspicious domains from Beaker process
  • Unexpected network traffic patterns

SIEM Query:

process_name:"beaker" AND (process_spawn OR file_modification OR network_connection)

📊 Metadata

CVE ID: CVE-2020-12079
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-1321
Published: April 23, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12079, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)