CVE-2024-28397

Name of the Vulnerable Software and Affected Versions js2py versions prior to 0.74 python-Js2Py versions prior to 0.74-3.1 (openSUSE Tumbleweed) pyload-ng versions less than or equal to 0.5.0b3.dev85 (when used with Python 3.11 or below)

Description A sandbox escape issue exists in the js2py.disable pyimport() component of js2py, allowing attackers to execute arbitrary code via a crafted API call. This vulnerability, identified as CVE-2024-28397, can be exploited by sending a malicious JavaScript payload to the application. The vulnerability allows bypassing sandbox restrictions and executing commands on the system. The pyload-ng application, when using js2py with Python 3.11 or below, is vulnerable through its /flash/addcrypted2 API endpoint. An attacker can bypass localhost restrictions using HTTP headers to access this endpoint and achieve Remote Code Execution (RCE). Millions of Python users are potentially affected, as js2py is a widely used library with over 1 million monthly downloads.

Recommendations js2py versions prior to 0.74: Upgrade to a newer version that addresses this vulnerability. python-Js2Py versions prior to 0.74-3.1 (openSUSE Tumbleweed): Upgrade to version 0.74-3.1 or later. pyload-ng versions less than or equal to 0.5.0b3.dev85 (when used with Python 3.11 or below): Upgrade to a newer version of pyload-ng that addresses this vulnerability or use Python 3.12 or above.