CVE-2020-7645 – CVE-2020-7645 is a command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2020-7645?

CVE-2020-7645 has a CVSS score of 9.8 (CRITICAL). CVE-2020-7645 is a command injection vulnerability in chrome-launcher that allows attackers to execute arbitrary commands on Linux systems by manipulating the $HOME environment variable. This affects all versions of chrome-launcher, which is commonly used in Node.js applications for launching Chrome/Chromium browsers. Applications using this package are vulnerable if they run on Linux with attacker-controlled environment variables.

📋 TL;DR

CVE-2020-7645 is a command injection vulnerability in chrome-launcher that allows attackers to execute arbitrary commands on Linux systems by manipulating the $HOME environment variable. This affects all versions of chrome-launcher, which is commonly used in Node.js applications for launching Chrome/Chromium browsers. Applications using this package are vulnerable if they run on Linux with attacker-controlled environment variables.

💻 Affected Systems

Products:

chrome-launcher

Versions: All versions before patching

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Linux systems where the $HOME environment variable can be controlled by an attacker. Windows and macOS are not affected.

📦 What is this software?

Chrome Launcher by Google

View all CVEs affecting Chrome Launcher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation or arbitrary command execution in the context of the application user, potentially leading to data theft or system manipulation.

🟢

If Mitigated

Limited impact if proper environment variable sanitization and least privilege principles are implemented.

🌐 Internet-Facing: MEDIUM - Requires the application to be exposed and accept attacker-controlled input that influences environment variables.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to control the $HOME environment variable, which typically means some level of access or ability to influence the application's execution environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to chrome-launcher version 0.14.0 or later

Vendor Advisory: https://github.com/GoogleChrome/chrome-launcher/security/advisories/GHSA-3g6p-xm8h-2xq9

Restart Required: Yes

Instructions:

1. Update package.json to use chrome-launcher >=0.14.0. 2. Run 'npm update chrome-launcher' or 'yarn upgrade chrome-launcher'. 3. Restart all applications using chrome-launcher.

🔧 Temporary Workarounds

Environment Variable Sanitization

linux

Sanitize or restrict the $HOME environment variable before passing to chrome-launcher

export HOME=$(echo "$HOME" | tr -cd '[:alnum:]._-' | head -c 100)

Run with Restricted User

linux

Run the application with a non-privileged user account to limit impact

sudo -u restricted_user node app.js

🧯 If You Can't Patch

Implement strict input validation for any user-controlled data that could influence environment variables
Use containerization with restricted capabilities and read-only filesystems where possible

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list chrome-launcher' to see if version is below 0.14.0

Check Version:

npm list chrome-launcher | grep chrome-launcher

Verify Fix Applied:

Confirm chrome-launcher version is 0.14.0 or higher with 'npm list chrome-launcher'

📡 Detection & Monitoring

Log Indicators:

Unexpected Chrome/Chromium launches with unusual parameters
Commands executed from unexpected $HOME paths

Network Indicators:

Outbound connections from Chrome processes to unexpected destinations

SIEM Query:

process.name:"chrome" AND process.args:"*$HOME*" AND NOT user.name:"expected_user"

📊 Metadata

CVE ID: CVE-2020-7645

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: May 2, 2020

Last Updated: November 21, 2024

🔗 References

http://snyk.io/vuln/SNYK-JS-CHROMELAUNCHER-537575 Exploit,Third Party Advisory
http://snyk.io/vuln/SNYK-JS-CHROMELAUNCHER-537575 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7645, you might also want to check these: