VYPR
← All advisories
High severityNVD Advisory· Published Feb 11, 2020· Updated Oct 15, 2024

CVE-2020-5529

CVE-2020-5529

Description

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HtmlUnit before 2.37.0 improperly initializes the Rhino engine, allowing arbitrary Java code execution via malicious JavaScript.

Vulnerability

Analysis

CVE-2020-5529 is an improper initialization vulnerability in HtmlUnit, a Java library that simulates a web browser. The issue resides in the way HtmlUnit initializes the Mozilla Rhino JavaScript engine. By default, Rhino provides a feature to expose Java objects to JavaScript code. HtmlUnit's flawed initialization fails to restrict this access, allowing a malicious JavaScript snippet to call arbitrary Java methods [1][2].

Exploitation

An attacker can exploit this vulnerability by leading a target application to evaluate attacker-controlled JavaScript. This could be achieved via a man-in-the-middle attack, by tricking the application into loading a malicious webpage, or by injecting script into a trusted context. No authentication is required, but the attacker must be able to inject or intercept script execution. For applications running on Android, the Android-specific Rhino initialization is similarly misconfigured, enabling the same attack vector [2].

Impact

Successful exploitation allows the attacker to execute arbitrary Java code within the context of the host application. This can lead to full compromise of the application's runtime environment, including data theft, denial of service, or further lateral movement within the host system. The CVSS v3 base score is 5.6 (Medium), with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L [2].

Mitigation

The vulnerability is fixed in HtmlUnit version 2.37.0. The fix explicitly prevents Rhino from accessing Java resources, as demonstrated by a commit that blocks calls like java.lang.Math.PI from JavaScript [4]. Users should upgrade to HtmlUnit 2.37.0 or later. For Android deployments, updating the library is also the recommended solution [2].

References
  1. NVD - CVE-2020-5529
  2. HtmlUnit vulenerable to arbitrary code execution
  3. Security: prevent Rhinos access to Java resources; e.g. call java met… · HtmlUnit/htmlunit@bc1f58d

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
net.sourceforge.htmlunit:htmlunitMaven
< 2.37.02.37.0

Affected products

3

Patches

1
bc1f58d483cc

Security: prevent Rhinos access to Java resources; e.g. call java methods

https://github.com/HtmlUnit/htmlunitrbriJan 27, 2020via ghsa
commit
2 files changed · +53 0
  • src/changes/changes.xml+3 0 modified
    @@ -8,6 +8,9 @@
 
     <body>
         <release version="2.37.0" date="xxxx, 2020" description="Bugfixes, CHROME 79, FF52 removed, FF68 added">
+            <action type="fix" dev="rbri">
+                Security: prevent Rhinos access to Java resources; e.g. call java methods.
+            </action>
             <action type="update" dev="rbri">
                 Upgrade Apache HttpComponents to 4.5.11.
             </action>
  • src/test/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine2Test.java+50 0 modified
    @@ -16,6 +16,8 @@
 
 import static org.junit.Assert.fail;
 
+import java.net.URL;
+
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.openqa.selenium.By;
@@ -891,4 +893,52 @@ public void ctorBooleanDocumentAll() throws Exception {
 
         loadPageWithAlerts2(html);
     }
+
+    /**
+     * @throws Exception if the test fails
+     */
+    @Test
+    @Alerts("exception")
+    public void javaNotAccessable() throws Exception {
+        final String html = "<html><head>\n"
+                + "<script>\n"
+                + "function test() {\n"
+                + "  try {\n"
+                + "    alert(java.lang.Math.PI);\n"
+                + "  } catch (e) { alert('exception'); }\n"
+                + "}\n"
+                + "</script>\n"
+                + "</head>\n"
+                + "<body onload='test()'>\n"
+                + "</body></html>";
+
+        loadPageWithAlerts2(html);
+    }
+
+    /**
+     * @throws Exception if the test fails
+     */
+    @Test
+    @Alerts("Received: from worker - exception")
+    public void javaNotAccessableFromWorker() throws Exception {
+        final String html = "<html><body>\n"
+            + "<script async>\n"
+            + "try {\n"
+            + "  var myWorker = new Worker('worker.js');\n"
+            + "  myWorker.onmessage = function(e) {\n"
+            + "    alert('Received: ' + e.data);\n"
+            + "  };\n"
+            + "} catch(e) { alert('exception' + e); }\n"
+            + "</script></body></html>\n";
+
+        final String workerJs = "var pi = 'from worker';\n"
+                + "try {\n"
+                + "  pi = pi + ' - ' + java.lang.Math.PI\n"
+                + "} catch (e) { pi = pi + ' - ' + 'exception'; }\n"
+                + "postMessage(pi);\n";
+
+        getMockWebConnection().setResponse(new URL(URL_FIRST, "worker.js"), workerJs);
+
+        loadPageWithAlerts2(html, 2000);
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.