CVE-2020-36377

Vulnerability

The dump function in shenzhim/aaptjs version 1.3.1 contains a command injection flaw due to insecure formatting of the filePath parameter [1][2]. The function passes user-supplied input directly to a shell command without proper sanitization, enabling an attacker to inject arbitrary commands [2].

Exploitation

An attacker must control the filePath argument passed to the dump function [2]. No authentication is required if the application exposes this function to untrusted input. By crafting a filePath value containing shell metacharacters (e.g., backticks or semicolons), the attacker can execute arbitrary OS commands in the context of the Node.js process [2].

Impact

Successful exploitation leads to arbitrary code execution on the host system [1][2]. The attacker gains the same privileges as the running Node.js application, potentially allowing full system compromise, data exfiltration, or lateral movement [2].

Mitigation

As of the available references, no patched version of aaptjs has been released [2][3]. Users should avoid passing untrusted input to the dump function, or consider replacing the package with a secure alternative. Input validation and escaping of shell arguments are recommended workarounds [2].