CVE-2024-28397 PoC — Js2Py 安全漏洞

Source

https://github.com/0timeday/exploit-js2py

Associated Vulnerability

Title:Js2Py 安全漏洞 (CVE-2024-28397)
Description:An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.

Description

The CVE-2024-28397 vulnerability affects versions of js2py up to v0.74, a Python library that allows JavaScript code to be executed within the Python interpreter.

Readme

# Description-js2py
The CVE-2024-28397 vulnerability affects versions of js2py up to v0.74, a Python library that allows JavaScript code to be executed within the Python interpreter. The flaw is in the implementation of the disable_pyimport() method, which should prevent JavaScript code from accessing Python objects. However, due to a failure in the implementation, an attacker can circumvent this restriction and obtain references to Python objects within the JavaScript environment, allowing arbitrary code execution on host.

Technical Details

Affected component: js2py.disable_pyimport()<br>
Affected versions: Up to v0.74<br>
CVE ID: CVE-2024-28397<br>
CVSS v3.1: 5.3 (Average)<br>
CWE: 94 (Inadequate code generation)<br>

The failure occurs because the disable_pyimport() method does not properly prevent access to Python objects from JavaScript code. This allows an attacker, even with protection enabled, to access Python objects and execute arbitrary commands on the system

File Snapshot


 [4.0K]  /data/pocs/73bca81daeffff2de0cc47a0b0eb8fdf029fc821
├── [3.0K]  exploit_js2py.php
└── [ 987]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!