CVE-2020-36378

Vulnerability

In aaptjs version 1.3.1, the packageCmd function does not sanitize the filePath parameter passed to it. This allows an attacker to inject arbitrary shell commands by crafting a malicious file path argument. The vulnerable function is part of the Node.js wrapper for the Android Asset Packaging Tool (aapt) [1][2].

Exploitation

An attacker can exploit this by providing a specially crafted filePath value containing shell metacharacters (e.g., backticks or semicolons) to the packageCmd function. No authentication is required if the application using aaptjs accepts user-supplied file paths. The injected commands are executed with the privileges of the process running the Node.js application [2].

Impact

Successful exploitation results in arbitrary command execution on the host system. The attacker can achieve remote code execution (RCE) with the same privileges as the Node.js process, potentially leading to full system compromise, data exfiltration, or further lateral movement [1][2].

Mitigation

No official patch has been released by the project maintainer as per the available references [2][3]. Users should avoid passing untrusted input to the packageCmd function, or consider switching to an alternative library that properly sanitizes shell arguments. The package repository and issue tracker indicate that the vulnerability remains unaddressed [2][3].