Login Sign Up

CVE-2020-36380

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-36380 is a critical OS command injection vulnerability in aaptjs 1.3.1 that allows attackers to execute arbitrary code by manipulating filePath parameters. This affects systems using the vulnerable aaptjs library for Android asset packaging. Attackers can achieve remote code execution with high privileges.

💻 Affected Systems

Products:
  • shenzhim aaptjs
Versions: Version 1.3.1 specifically
Operating Systems: All platforms where aaptjs runs (Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the vulnerable crunch function with user-controlled filePath parameters is affected.

📦 What is this software?

Aaptjs by Aaptjs Project

View all CVEs affecting Aaptjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to application compromise, data theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only affecting the application process.

🌐 Internet-Facing: HIGH - If vulnerable application is exposed to untrusted input from external sources, exploitation is straightforward.
🏢 Internal Only: MEDIUM - Still exploitable via internal attacks or compromised users, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is simple to exploit with publicly available details. No authentication required if the vulnerable function is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.3.2 or later

Vendor Advisory: https://github.com/shenzhim/aaptjs/issues/2

Restart Required: Yes

Instructions:

1. Update aaptjs to version 1.3.2 or later using npm: npm update aaptjs. 2. Restart any applications using aaptjs. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation on filePath parameters to prevent command injection.

Implement whitelist validation for file paths
Use path normalization libraries

Sandbox Execution

all

Run aaptjs in a restricted environment with minimal privileges.

Use Docker containers with limited capabilities
Implement process isolation

🧯 If You Can't Patch

  • Implement network segmentation to isolate systems using aaptjs
  • Deploy application control to prevent execution of unauthorized commands

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list aaptjs | grep 1.3.1

Check Version:

npm list aaptjs | grep aaptjs

Verify Fix Applied:

Verify installed version is 1.3.2 or later: npm list aaptjs

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns from aaptjs process
  • Suspicious file path patterns in application logs

Network Indicators:

  • Unexpected outbound connections from aaptjs process
  • Command and control traffic patterns

SIEM Query:

process_name:aaptjs AND (command_injection_indicators OR suspicious_child_process)

📊 Metadata

CVE ID: CVE-2020-36380
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: October 31, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36380, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)