Login Sign Up

CVE-2020-36376

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in aaptjs 1.3.1 allows attackers to execute arbitrary code via the filePath parameter in the list function. It affects systems using the vulnerable version of aaptjs, particularly those processing untrusted input through this function. The high CVSS score indicates critical severity with potential for complete system compromise.

💻 Affected Systems

Products:
  • aaptjs
Versions: 1.3.1
Operating Systems: All platforms where aaptjs runs
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where the vulnerable list function is exposed to untrusted input. The vulnerability is in the core library functionality.

📦 What is this software?

Aaptjs by Aaptjs Project

View all CVEs affecting Aaptjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to run arbitrary commands on the server, potentially leading to data exfiltration, service disruption, or installation of backdoors.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially reducing to denial of service or information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub issue shows exploitation details. The vulnerability is in a widely used parameter with straightforward exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub repository for updates

Vendor Advisory: https://github.com/shenzhim/aaptjs/issues/2

Restart Required: Yes

Instructions:

1. Check current aaptjs version. 2. Update to latest version from official repository. 3. Restart any services using aaptjs. 4. Validate fix by testing with safe input.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation on filePath parameter to prevent command injection

Implement regex validation: ^[a-zA-Z0-9._\/-]+$
Use allowlist approach for file paths

Sandbox Execution

linux

Run aaptjs in restricted environment with minimal privileges

Use Docker containers with read-only filesystems
Implement SELinux/AppArmor policies

🧯 If You Can't Patch

  • Implement network segmentation to isolate systems using aaptjs
  • Deploy web application firewall with command injection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json or version output for aaptjs 1.3.1

Check Version:

npm list aaptjs or check package.json version

Verify Fix Applied:

Test with controlled input to ensure command injection is prevented

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns
  • File path parameters containing shell metacharacters
  • Unexpected process spawns from aaptjs

Network Indicators:

  • Outbound connections from aaptjs process to unexpected destinations
  • Command and control traffic patterns

SIEM Query:

process.name:aaptjs AND (cmdline:*;* OR cmdline:*&* OR cmdline:*|* OR cmdline:*`*)

📊 Metadata

CVE ID: CVE-2020-36376
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: October 31, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36376, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)