CVE-2020-36380

Vulnerability

The crunch function in shenzhim/aaptjs version 1.3.1 does not sanitize the filePath parameter before passing it to a shell command. This allows an attacker to inject arbitrary commands by including shell metacharacters (e.g., backticks, semicolons) in the filePath value. The vulnerability is present in the crunch function as described in the official CVE entry [1] and the GitHub issue [2].

Exploitation

An attacker can exploit this vulnerability by providing a malicious filePath string to the crunch function. No authentication is required if the application exposes this function to untrusted input (e.g., via user-supplied file paths or uploads). The attacker simply needs to control the filePath argument; the function will then execute the injected commands with the privileges of the Node.js process [2].

Impact

Successful exploitation results in arbitrary code execution on the host system. This can lead to full compromise of the application server, including data theft, installation of malware, or lateral movement within the network. The impact is rated as critical due to the lack of required privileges and the potential for remote exploitation [1][2].

Mitigation

As of the latest available references, no patched version of aaptjs has been released. The repository appears unmaintained [3]. Users should avoid passing untrusted input to the crunch function, consider switching to an alternative library, or implement input validation and escaping before calling the function. If possible, upgrade to a newer version if one becomes available [2][3].