CVE-2020-36376

Vulnerability

The list function in aaptjs version 1.3.1 passes user-supplied filePath arguments directly to the aapt command without sanitization, leading to command injection [1][2]. The vulnerable code uses string concatenation to build the command, allowing arbitrary shell commands to be injected [2].

Exploitation

An attacker can provide a maliciously crafted filePath parameter containing shell metacharacters (e.g., backticks, $()). When the list function is called with such input, the injected commands execute in the context of the Node.js process [2]. No authentication is required if the application exposes this function to user input.

Impact

Successful exploitation allows arbitrary command execution with the privileges of the Node.js process. The attacker can execute system commands, read sensitive files, or install malware [1][2]. This constitutes full remote code execution.

Mitigation

Update to a patched version of aaptjs that properly sanitizes the filePath input. As of the publication date, no official fix has been released in the repository [3]; users should avoid passing untrusted input to the list function or implement input validation.