CVE-2024-28397: js2py Vulnerability Exposes Millions of Python Users to RCE
A critical vulnerability in js2py, a widely-used Python library with over 1 million monthly downloads, has left countless web scrapers and applications exposed to remote code execution (RCE) attacks. The flaw, designated CVE-2024-28397 and assigned a high CVSS score of 8.8, enables malicious actors to break out of the JavaScript sandbox and run arbitrary commands on the underlying system.
js2py allows Python developers to seamlessly integrate JavaScript code into their projects. It’s a popular choice for web scraping tools due to its ability to parse and execute JavaScript within web pages. However, this very feature has become a dangerous attack vector.
An attacker can exploit the vulnerability by tricking a target into processing a malicious JavaScript file, either through a compromised website or a deceptive API call. Once executed, the malicious script gains access to the host system, giving the attacker free rein to run any command they desire.
Security researcher Marven11 discovered the vulnerability in February and responsibly submitted a patch to the official js2py repository. However, after four months of silence from the project maintainers, Marven11 has decided to go public with both the proof-of-concept exploit and the fix.
The vulnerability impacts all versions of js2py up to and including 0.74 running under Python versions below 3.12. Several popular projects that utilize js2py, including pyload, cloudscraper (which uses js2py as an optional JavaScript interpreter), and lightnovel-crawler, are also at risk.
At the time of writing, there is no official patch available from the js2py maintainers. However, users can apply the fix provided by Marven11 either dynamically using the fix.py script or by manually patching the source code with the instructions in patch.txt.
Given the severity of this vulnerability and its potential for widespread exploitation, developers and administrators are strongly urged to update or patch any applications relying on js2py as soon as possible. The risk of RCE attacks is simply too high to ignore.
