A critical vulnerability, designated CVE-2024-28397, has been discovered in the js2py library, a widely-used tool in Python projects for integrating JavaScript. This flaw, with a CVSS score of 8.8, allows attackers to execute arbitrary code on the host system, posing significant risks to web scrapers and applications using this library.
Affected Software
- js2py: All versions up to and including 0.74
- Python Versions: Below 3.12
- Impacted Projects: pyload, cloudscraper (optional JavaScript interpreter), lightnovel-crawler, among others
Vulnerability Details
js2py enables Python developers to run JavaScript code within their projects, making it highly useful for web scraping tools. However, the vulnerability allows an attacker to break out of the JavaScript sandbox and execute arbitrary commands on the host system. The exploit can be triggered by processing a malicious JavaScript file through a compromised website or deceptive API call.
Technical Analysis
- Exploit Mechanism: The vulnerability can be exploited by tricking a target into executing a specially crafted JavaScript file.
- Impact: Once the malicious script is processed, it gains the ability to run arbitrary commands on the host system, leading to potential full system compromise.
Mitigation Steps
Currently, there is no official patch from the js2py maintainers. However, users can mitigate the risk by:
- Applying the Fix Provided by Marven11:
- Dynamic Fix: Use the provided fix.py script.
- Manual Patch: Follow the instructions in patch.txt to manually update the source code.
Recommended Actions
- Immediate Update/Patch: Developers and administrators should apply the fix provided by Marven11 to mitigate the vulnerability.
- Monitor for Official Patch: Stay updated on the status of an official patch from js2py maintainers.
- Review and Test: Ensure that the fix does not disrupt existing functionalities by thorough testing.
- Audit Dependencies: Regularly audit dependencies for vulnerabilities and apply patches as they become available.
CVE-2024-28397 poses a severe threat due to its high potential for exploitation and the widespread use of the js2py library. Immediate action is required to apply the available fix and safeguard systems against RCE attacks.
