Associated Vulnerability
Title:Js2Py 安全漏洞 (CVE-2024-28397)Description:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
Description
This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution.
Readme
# CVE-2024-28397-command-execution-poc
This vulnerability arises from incomplete sandboxing in js2py, where crafted JavaScript can traverse Python’s internal object model and access dangerous classes like subprocess.Popen, leading to arbitrary command execution.
# JSON-Parsers & RCE Exploit PoC
## Overview
This repository contains a **proof-of-concept (PoC)** payload demonstrating a **sandbox escape** through `js2py.disable_pyimport()` a vulnerability in `js2py` versions up to **0.74**.
When an application **evaluates or parses user-supplied JSON/JavaScript unsafely**, this vulnerability allows an attacker to break out of the JavaScript sandbox, reach into Python internals, locate `subprocess.Popen`, and execute arbitrary commands.
---
## History & Context
- **CVE-2024-28397** was publicly disclosed on **June 20, 2024**, affecting many Python environments using `js2py` to parse JavaScript securely.
- The flaw resides in incomplete sandboxing within `js2py.disable_pyimport()`, and makes it possible to bypass intended import restrictions via global object access.
- The vulnerability carries a **CVSS v3.1 score of 5.3 / Medium** (attack complexity is low; privilege required is low; results in code execution).
- It has since appeared in vulnerability advisories from NVD, GitHub Advisory DB, Snyk, and other major vulnerability platforms.
---
## Exploit Overview
1. The vulnerable application **parses user-controlled JavaScript or JSON**.
2. The PoC uses a JavaScript snippet to traverse Python object graph:
- It accesses `__class__`, `__base__`, and `__subclasses__()` to locate `subprocess.Popen`.
- It executes a shell command and captures the output.
- The final result is safely returned as a string (JSON-safe).
-
## References
- [GitHub] Marven11 – *CVE-2024-28397: js2py sandbox escape*, PoC & patch https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape
- [NVD] CVE-2024-28397 entry (CVSS 3.1 = 5.3) https://nvd.nist.gov/vuln/detail/CVE-2024-28397
- [GitHub Advisory] js2py RCE via `disable_pyimport()` sandbox escape https://github.com/advisories/GHSA-h95x-26f3-88hr
- [Wiz] Technical deep-dive and mitigation guidance https://www.wiz.io/vulnerability-database/cve/cve-2024-28397
- [MITRE] CVE registry summary and external links https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28397
- [Rapid7] Metasploit module leveraging this vulnerability in Pyload http://www.rapid7.com/blog/post/2024/11/22/metasploit-weekly-wrap-up-11-22-2024
File Snapshot
[4.0K] /data/pocs/03927065ecb06dae380d082573be9dd76c1e1230
├── [ 793] payload.js
└── [2.5K] README.md
1 directory, 2 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.