CVE-2020-27224
Description
In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@theia/previewnpm | < 1.3.0 | 1.3.0 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
Root cause
"Improper neutralization of user-controlled input in the Markdown Preview allows injection of arbitrary HTML/JavaScript via `<style onload>` tags [CWE-79]."
Attack vector
An attacker crafts a malicious Markdown file containing a `<style onload="...">` tag that executes arbitrary JavaScript when the Markdown Preview renders the file [ref_id=1]. The attacker hosts this file in a GitHub repository and tricks a victim into importing it into their Eclipse Theia-based environment (e.g., Google Cloud Shell) via the "Open in Cloud Shell" button [ref_id=1]. Once the preview renders, the injected script uses the Theia file API endpoints (`/files/?uri=` and `/files/download/?id=`) to exfiltrate sensitive files such as the SSH private key and hostname, enabling full remote code execution as root [ref_id=1]. This is a stored cross-site scripting attack [CWE-79] that does not require any authentication beyond the victim's existing session.
Affected code
The vulnerability resides in the Markdown Preview extension (`@theia/preview`) in Eclipse Theia up to version 1.2.0. The researcher identified the bug by reviewing Theia's GitHub repository issues tagged with "security" [ref_id=1]. The advisory does not specify exact function or file paths within the preview module.
What the fix does
The bundle does not include a patch diff. According to the researcher, Google fixed the issue on March 18, 2020 [ref_id=1]. The advisory does not describe the specific remediation applied to Eclipse Theia or Google Cloud Shell, but the fix would need to neutralize HTML/JavaScript injection in Markdown preview rendering to prevent execution of `<style onload>` and similar payloads [CWE-79].
Preconditions
- configVictim must use Eclipse Theia version <= 1.2.0 with the Markdown Preview extension enabled
- inputVictim must open a malicious Markdown file in the preview pane
- inputAttacker must host the malicious Markdown file in a repository accessible to the victim (e.g., a public GitHub repo)
- authNo authentication required beyond the victim's existing session in the Theia environment
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gcm9-cc3r-c6vjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-27224ghsaADVISORY
- github.com/eclipse-theia/theia/issues/7954ghsax_refsource_CONFIRMWEB
- github.com/eclipse-theia/theia/pull/7971ghsaWEB
- omespino.com/write-up-google-bug-bounty-xss-to-cloud-shell-instance-takeover-rce-as-root-5000-usdghsaWEB
- omespino.com/write-up-google-bug-bounty-xss-to-cloud-shell-instance-takeover-rce-as-root-5000-usd/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.