CVE-2024-28397

Vulnerability

Overview

CVE-2024-28397 is a sandbox escape vulnerability in js2py, a JavaScript-to-Python translator and interpreter written in pure Python. The issue resides in the js2py.disable_pyimport() function, which is meant to restrict access to Python imports from JavaScript code. However, due to insufficient enforcement, an attacker can craft a JavaScript API call that circumvents this restriction, allowing the execution of arbitrary Python code within the Python runtime [1][2].

Exploitation

Mechanism

The attack requires the ability to supply or influence JavaScript code that is evaluated by js2py. No authentication is needed if the vulnerable component is exposed to untrusted input. By bypassing disable_pyimport(), an attacker can call Python functions (e.g., __import__, exec, or eval) directly from JavaScript, effectively escaping the sandbox and gaining access to the underlying Python environment [2][4].

Impact

Successful exploitation enables an attacker to execute arbitrary Python code on the host system. This can lead to full compromise of the application using js2py, including data exfiltration, privilege escalation, or further lateral movement within the network [1][2]. The CVSS v3 base score of 5.3 (Medium) reflects the moderate attack complexity and the need for some user interaction or specific conditions [2].

Mitigation

Status

As of the latest advisories, there is no patched release of js2py. A pull request (#323) has been submitted to address the issue, but it has not yet been merged into the main branch [3][4]. Users are advised to either migrate away from js2py or apply the proposed fix manually until an official update is released [3].