Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-28397 PoC — Js2Py 安全漏洞

Source
https://github.com/waleed-hassan569/CVE-2024-28397-command-execution-poc
Associated Vulnerability
Title:Js2Py 安全漏洞 (CVE-2024-28397)
Description:An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
Description
This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution.
Readme
# CVE-2024-28397-command-execution-poc
This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution.


#  JSON-Parsers & RCE Exploit PoC

##  Overview
This repository contains a **proof-of-concept (PoC)** payload demonstrating a **sandbox escape** through `js2py.disable_pyimport()` a vulnerability in `js2py` versions up to **0.74**.

When an application **evaluates or parses user-supplied JSON/JavaScript unsafely**, this vulnerability allows an attacker to break out of the JavaScript sandbox, reach into Python internals, locate `subprocess.Popen`, and execute arbitrary commands.

---

##  History & Context
- **CVE-2024-28397** was publicly disclosed on **June 20, 2024**, affecting many Python environments using `js2py` to parse JavaScript securely.
- The flaw resides in incomplete sandboxing within `js2py.disable_pyimport()`, and makes it possible to bypass intended import restrictions via global object access.
- The vulnerability carries a **CVSS v3.1 score of 5.3 / Medium** (attack complexity is low; privilege required is low; results in code execution).
- It has since appeared in vulnerability advisories from NVD, GitHub Advisory DB, Snyk, and other major vulnerability platforms.

---

##  Exploit Overview
1. The vulnerable application **parses user-controlled JavaScript or JSON**.
2. The PoC uses a JavaScript snippet to traverse Python object graph:
   - It accesses `__class__`, `__base__`, and `__subclasses__()` to locate `subprocess.Popen`.
   - It executes a shell command and captures the output.
   - The final result is safely returned as a string (JSON-safe).
   - 
##  References
- [GitHub] Marven11 – *CVE-2024-28397: js2py sandbox escape*, PoC & patch https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape  
- [NVD] CVE-2024-28397 entry (CVSS 3.1 = 5.3)  https://nvd.nist.gov/vuln/detail/CVE-2024-28397
- [GitHub Advisory] js2py RCE via `disable_pyimport()` sandbox escape  https://github.com/advisories/GHSA-h95x-26f3-88hr
- [Wiz] Technical deep-dive and mitigation guidance  https://www.wiz.io/vulnerability-database/cve/cve-2024-28397
- [MITRE] CVE registry summary and external links  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28397
- [Rapid7] Metasploit module leveraging this vulnerability in Pyload  http://www.rapid7.com/blog/post/2024/11/22/metasploit-weekly-wrap-up-11-22-2024
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →