In the Python package Js2Pywhich was uploaded last month 1.2 million times, identified vulnerability (CVE-2024-28397), which allows you to bypass sandbox isolation and execute code in the system when processing specially formatted data in JavaScript. The vulnerability can be used to attack programs that use Js2Py to execute JavaScript code. The fix is currently only available in the form patch. To check the possibility of an attack prepared exploit prototype.
Js2Py package implements A JavaScript interpreter and translator that allows you to run JavaScript code in an isolated virtual machine or translate JavaScript into a Python representation. The project is written entirely in Python and does not use third-party JavaScript engines. In practice, the library is used in various web indexers, loading systems and site analyzers that support processing content generated by JavaScript code.
The applications affected by the vulnerability include: Lightnovel Crawler (a utility for downloading books from online services and saving them in various formats for offline reading), cloudscraper (automatically bypasses anti-bot pages used in Cloudflare CDN) and pyLoad (a download manager that supports processing pages generated in JavaScript). When these applications process specially designed JavaScript content, an attacker can execute arbitrary code at the system level.
The vulnerability is present in the implementation of a global variable inside js2py, which allows you to obtain a reference to a Python object from JavaScript code running in a sandboxed environment, despite calling the js2py.disable_pyimport() method to disable the import of Python objects. An attacker can use the vulnerability to execute arbitrary code on the system to gain access to an object Popen from a Python module subprocess. It is noteworthy that the change to eliminate the vulnerability was sent to the Js2Py project on March 1st, but for three and a half months it was still not accepted.
Thanks for reading: