CVE-2020-36381

Vulnerability

The singleCrunch function in aaptjs version 1.3.1 does not properly sanitize the filePath parameter, leading to command injection. aaptjs is a Node.js wrapper for the Android Asset Packaging Tool (aapt). The vulnerability was reported in a GitHub issue [2] and is present in the source code [3].

Exploitation

An attacker can supply a malicious filePath string containing shell metacharacters. The function constructs a command string that is executed without sanitization. No authentication is required; the attacker only needs control over the filePath input.

Impact

Successful exploitation results in arbitrary code execution in the context of the application using aaptjs. This can lead to full system compromise, including data exfiltration, malware installation, or lateral movement.

Mitigation

As of the CVE publication date (2021-10-31), no fix has been released for aaptjs 1.3.1. Users should avoid passing untrusted input to singleCrunch and consider discontinuing use of the library until a patch is available. The repository does not show a newer version addressing this issue [1][2][3].