CVE-2020-5529 – HtmlUnit versions before 2.37.0 contain imprope... (How to Fix)

Q: What is the severity of CVE-2020-5529?

CVE-2020-5529 has a CVSS score of 8.1 (HIGH). HtmlUnit versions before 2.37.0 contain improper Rhino JavaScript engine initialization that allows malicious JavaScript to execute arbitrary Java code. This affects applications using vulnerable HtmlUnit libraries, particularly Android apps with embedded HtmlUnit components. Attackers can achieve remote code execution through crafted JavaScript payloads.

📋 TL;DR

HtmlUnit versions before 2.37.0 contain improper Rhino JavaScript engine initialization that allows malicious JavaScript to execute arbitrary Java code. This affects applications using vulnerable HtmlUnit libraries, particularly Android apps with embedded HtmlUnit components. Attackers can achieve remote code execution through crafted JavaScript payloads.

💻 Affected Systems

Products:

HtmlUnit
Apache Camel
Android applications using HtmlUnit

Versions: All versions prior to 2.37.0

Operating Systems: All platforms running Java, Android

Default Config Vulnerable: ⚠️ Yes

Notes: Android applications embedding HtmlUnit are particularly vulnerable due to Android-specific Rhino initialization issues.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker executing arbitrary Java code, potentially leading to data theft, privilege escalation, or full application takeover.

🟠

Likely Case

Remote code execution within the application context, allowing data exfiltration, lateral movement, or deployment of additional malware.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only denial of service or information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker to inject or deliver malicious JavaScript to the vulnerable application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.37.0 and later

Vendor Advisory: https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0

Restart Required: Yes

Instructions:

1. Update HtmlUnit dependency to version 2.37.0 or higher. 2. Update build configuration (Maven/Gradle) to use patched version. 3. Rebuild and redeploy affected applications. 4. Test functionality after update.

🔧 Temporary Workarounds

Disable JavaScript execution

all

Configure HtmlUnit to disable JavaScript execution if not required for functionality

webClient.getOptions().setJavaScriptEnabled(false);

Input validation and sanitization

all

Implement strict input validation for any JavaScript processed by HtmlUnit

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable applications
Deploy web application firewall (WAF) with JavaScript injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check build configuration files (pom.xml, build.gradle) for HtmlUnit dependency version below 2.37.0

Check Version:

mvn dependency:tree | grep htmlunit  OR  gradle dependencies | grep htmlunit

Verify Fix Applied:

Verify HtmlUnit version is 2.37.0 or higher in dependency files and runtime classpath

📡 Detection & Monitoring

Log Indicators:

Unusual Java class loading
Suspicious JavaScript execution patterns
Rhino engine errors

Network Indicators:

Unexpected outbound connections from application server
Suspicious JavaScript payloads in HTTP requests

SIEM Query:

source="application.logs" AND ("HtmlUnit" OR "Rhino") AND ("ClassLoader" OR "execution")

📊 Metadata

CVE ID: CVE-2020-5529

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-665

Published: February 11, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0 Release Notes,Third Party Advisory
https://jvn.jp/en/jp/JVN34535327/ Third Party Advisory
https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html Mailing List,Third Party Advisory
https://usn.ubuntu.com/4584-1/ Third Party Advisory
https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0 Release Notes,Third Party Advisory
https://jvn.jp/en/jp/JVN34535327/ Third Party Advisory
https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E
https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html Mailing List,Third Party Advisory
https://usn.ubuntu.com/4584-1/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5529, you might also want to check these: