In the Python package js2py , which was downloaded 1.2 million times last month according to statistics, a vulnerability was identified. The vulnerability, known as cve-2024-28397, allows attackers to bypass Sandbox-insulation and execute code in the system when processing specially designed JavaScript data. This vulnerability can be exploited to attack programs using JS2PY for JavaScript code analysis. The only available correction currently is in the form of patches. To demonstrate the capabilities of the attack, a prototype exploit was prepared.
JS2PY is a JavaScript interpreter that encapsulates JavaScript code in an isolated virtual machine or translates JavaScript into Python. The project is written entirely in Python and does not rely on external JavaScript engines. The library is commonly used in web scrapers, download managers, and website analyzers for processing JavaScript-generated content.
Among the applications affected by the vulnerability are Lightnovel Crawler (a tool for downloading web novels in various formats), cloudscraper (a tool for bypassing bot protections on cloudflare CDN), and pyload (a download manager for JavaScript-enhanced websites). By feeding specially crafted JavaScript content into these applications, an attacker can execute arbitrary code on the user’s system.
The vulnerability stems from a global variable within JS2PY that allows access to Python objects from JavaScript code, even when JS2PY.DISABLE_PYIMPORT() is called to disable such access. By exploiting this vulnerability, an attacker can use the Python subprocess object popen to execute arbitrary code on the system. A fix to address this vulnerability was