Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-28397 PoC — Js2Py 安全漏洞

Source
https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape
Associated Vulnerability
Title:Js2Py 安全漏洞 (CVE-2024-28397)
Description:An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
Description
CVE-2024-28397: js2py sandbox escape, bypass pyimport restriction.
Readme
## Introduction

[中文](./README_zh.md)

`js2py` is a popular python package that can evaluate javascript code inside python interpreter. It is used by various web scrapers to parse javscript code on the website.

There exist a vulnerability in the implementation of a global variable inside `js2py`, allowing attacker obtaining a reference to a python object in the js2py environment, thus enabling attacker to escape js environment and execute arbitrary commands on the host.

Normally user would call `js2py.disable_pyimport()` to stop javascript code escaping the `js2py` environment. But with this vulnerability attacker can evade this restriction and execute any command on the host.

The threat actor can host a website containing a malicious js file or send a malicious script via HTTP API for victim to parse. By doing that, the actor can commit remote code execution on the host by executing any shell command on the target.

## Details of the vulnerability

- Version number of the affected component:
  - latest js2py (<=0.74) that runs under python 3
- affected products:
  - [pyload/pyload](https://github.com/pyload/pyload)
  - [VeNoMouS/cloudscraper](https://github.com/VeNoMouS/cloudscraper) (use js2py as a optional 'js interpreter')
  - [dipu-bd/lightnovel-crawler](https://github.com/dipu-bd/lightnovel-crawler)
- The steps to reproduce:
  - install python3 under 3.12, currently `js2py` don't support python3.12.
  - Run `pip install js2py` to install `js2py` and execute `poc.py`, which would try to execute `head -n 1 /etc/passwd; calc; gnome-calculator; kcalc;` on the host.
  - If the vulnerability exists the script should print `Success! the vulnerability exists...` or pop up calculator.

## Fix

Currently official fix is unavailable, user can use `fix.py` to dynamically patch js2py or use patch.txt to fix the source code.

## Others

I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →