Login Sign Up

CVE-2020-6836

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-6836 is a critical remote code execution vulnerability in the hot-formula-parser Node.js package. It allows attackers to inject arbitrary code through unsanitized user input that gets executed via eval(). Any Node.js application using vulnerable versions of this package for parsing formulas from untrusted sources is affected.

💻 Affected Systems

Products:
  • hot-formula-parser (Node.js package)
Versions: All versions before 3.0.1
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when parsing user-controlled input. Applications using the package with trusted data only are not affected.

📦 What is this software?

Hot Formula Parser by Hot Formula Parser Project

View all CVEs affecting Hot Formula Parser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data exfiltration, cryptocurrency mining, or botnet enrollment.

🟢

If Mitigated

Limited impact if input validation prevents malicious payloads from reaching the parser.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is trivial with public proof-of-concept code available. No authentication required if the vulnerable endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.1

Vendor Advisory: https://www.npmjs.com/advisories/1439

Restart Required: Yes

Instructions:

1. Update package.json to require 'hot-formula-parser': '^3.0.1'. 2. Run 'npm update hot-formula-parser'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject any formula containing suspicious characters or patterns before passing to the parser.

Network Isolation

all

Restrict network access to affected services using firewalls or network policies.

🧯 If You Can't Patch

  • Implement strict input validation to reject any formula containing parentheses, quotes, semicolons, or backticks.
  • Run the service with minimal privileges and in a containerized/sandboxed environment.

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/hot-formula-parser/package.json for version <3.0.1.

Check Version:

npm list hot-formula-parser

Verify Fix Applied:

Confirm package version is 3.0.1 or higher and test with known malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from Node.js
  • Suspicious eval() calls in application logs
  • Error logs containing malformed formula syntax

Network Indicators:

  • Unexpected outbound connections from Node.js process
  • Traffic to known malicious IPs/domains

SIEM Query:

process.name:node AND (process.cmdline:*eval* OR process.cmdline:*child_process*)

📊 Metadata

CVE ID: CVE-2020-6836
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: January 11, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6836, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)