CVE-2020-14000

Name of the Vulnerable Software and Affected Versions MIT Lifelong Kindergarten Scratch scratch-vm versions before 0.2.0-prerelease.20200714185213

Description The issue results in remote code execution because the URL's content is treated as a script and is executed as a worker when extension URLs are loaded from untrusted project.json files with certain characters. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. This is due to the incompatibility of the character with a protection mechanism in older versions, where URLs were split, preventing deserialization attacks. The scratch.mit.edu hosted service is not affected due to the lack of worker scripts.

Recommendations For versions before 0.2.0-prerelease.20200714185213, consider updating to a version that includes the fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting the use of characters in project.json files or disabling the execution of worker scripts until a patch is available.