Login Sign Up

CVE-2020-15271

9.3 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-15271 is a critical vulnerability in the lookatme Python package that allows remote code execution when rendering untrusted markdown content. The package automatically loads dangerous extensions that can execute shell commands, affecting all users who process untrusted markdown with vulnerable versions.

💻 Affected Systems

Products:
  • lookatme Python package
Versions: All versions prior to 2.3.0
Operating Systems: All operating systems running Python
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default configuration when loading markdown files.

📦 What is this software?

Lookatme by Lookatme Project

View all CVEs affecting Lookatme →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary command execution, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Attackers embedding malicious markdown could execute commands to steal credentials, install backdoors, or exfiltrate sensitive data from affected systems.

🟢

If Mitigated

With proper controls, impact is limited to isolated environments where lookatme only processes trusted content.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only that victim processes attacker-controlled markdown content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.0

Vendor Advisory: https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q

Restart Required: No

Instructions:

1. Upgrade lookatme to version 2.3.0 or later using pip: pip install --upgrade lookatme>=2.3.0
2. Verify installation with: pip show lookatme

🔧 Temporary Workarounds

Manual extension removal

all

Delete the vulnerable extension files to prevent automatic loading

rm /path/to/python/site-packages/lookatme/contrib/terminal.py
rm /path/to/python/site-packages/lookatme/contrib/file_loader.py

🧯 If You Can't Patch

  • Only use lookatme with trusted, verified markdown content from known sources
  • Isolate lookatme execution in sandboxed environments or containers

🔍 How to Verify

Check if Vulnerable:

Check installed version: pip show lookatme | grep Version

Check Version:

pip show lookatme | grep Version

Verify Fix Applied:

Confirm version is 2.3.0 or higher: pip show lookatme | grep Version

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Python lookatme processes
  • Shell commands originating from lookatme execution

Network Indicators:

  • Outbound connections from lookatme processes to unexpected destinations

SIEM Query:

process_name:python AND process_args:*lookatme* AND (process_name:bash OR process_name:sh OR process_name:cmd)

📊 Metadata

CVE ID: CVE-2020-15271
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-78
Published: October 26, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15271, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)