Login Sign Up

CVE-2020-14000

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in Scratch VM allows remote code execution by loading malicious extension URLs from untrusted project files. Attackers can execute arbitrary code by crafting project.json files with specific _ characters. Only self-hosted Scratch instances are affected - the official scratch.mit.edu service is not vulnerable.

💻 Affected Systems

Products:
  • scratch-vm
Versions: All versions before 0.2.0-prerelease.20200714185213
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects self-hosted Scratch instances. The official scratch.mit.edu service is NOT vulnerable due to lack of worker scripts.

📦 What is this software?

Scratch Vm by Mit

View all CVEs affecting Scratch Vm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the Scratch VM host, potentially leading to data theft, further network penetration, or ransomware deployment.

🟠

Likely Case

Malicious project files execute arbitrary JavaScript code in the Scratch VM context, potentially stealing user data, modifying projects, or using the system for cryptocurrency mining.

🟢

If Mitigated

If proper input validation and URL sanitization are implemented, the vulnerability is prevented and no code execution occurs.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires users to load malicious project files, which could be distributed through Scratch project sharing platforms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.0-prerelease.20200714185213 and later

Vendor Advisory: https://github.com/LLK/scratch-vm/pull/2476

Restart Required: Yes

Instructions:

1. Update scratch-vm to version 0.2.0-prerelease.20200714185213 or later. 2. Restart the Scratch VM service. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable extension loading

all

Prevent loading of external extensions from project files

Modify serialization/sb3.js to disable getExtensionIdForOpcode functionality

Input validation filter

all

Add filtering for _ characters in extension URLs

Implement URL sanitization before processing in getExtensionIdForOpcode

🧯 If You Can't Patch

  • Isolate Scratch VM instances from sensitive systems and networks
  • Implement strict project file validation and scanning before allowing uploads

🔍 How to Verify

Check if Vulnerable:

Check if scratch-vm version is earlier than 0.2.0-prerelease.20200714185213

Check Version:

npm list scratch-vm or check package.json version

Verify Fix Applied:

Verify version is 0.2.0-prerelease.20200714185213 or later and test with known malicious project files

📡 Detection & Monitoring

Log Indicators:

  • Unusual extension URL loading patterns
  • Multiple failed extension loads with _ characters
  • Unexpected worker script execution

Network Indicators:

  • Outbound connections to unusual domains from Scratch VM
  • Downloads of external scripts during project loading

SIEM Query:

source="scratch-vm" AND (extension_load_failure OR worker_script_execution)

📊 Metadata

CVE ID: CVE-2020-14000
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: July 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14000, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)