CVE-2020-14000

Scratch-vm prior to 0.2.0-prerelease.20200714185213 is vulnerable: getExtensionIdForOpcode in serialization/sb3.js loads extension URLs from untrusted project.json files, treating the content as a script and executing it as a worker due to underscores in URLs. This leads to remote code execution....