`js2py is a popular python package that can evaluate javascript code inside the python interpreter. It is used by various web scrapers to parse javscript code on websites.
There is a vulnerability in the implementation of global variables within js2py, which could allow an attacker to obtain references to python objects in the js2py environment, thereby allowing the attacker to exit the js environment and execute arbitrary commands on the host.
Typically the user will call js2py.disable_pyimport() to stop the javascript code leaving the js2py environment. But with this vulnerability, an attacker can circumvent this restriction and execute any command on the host.
Threat actors can host websites that contain malicious js files or send malicious scripts via HTTP API for victims to decipher them. By doing so, the actor can perform remote code execution on the host by executing any shell command on the target.
-Nomor versi komponen yang terpengaruh: -js2py terbaru (<=0.74) yang berjalan di bawah python 3
- affected products:
- pyload/pyload
- VeNoMouS/cloudscraper (use js2py as a optional 'js interpreter')
- dipu-bd/lightnovel-crawler
- The steps to reproduce:
- install python3 under 3.12, currently
js2pydon't support python3.12. - Run
pip install js2pyto installjs2pyand executepoc.py, which would try to executehead -n 1 /etc/passwd; calc; gnome-calculator; kcalc;on the host. - If the vulnerability exists the script should print
Success! the vulnerability exists...or pop up calculator.
- install python3 under 3.12, currently
Currently official fix is unavailable, user can use fix.py to dynamically patch js2py or use patch.txt to fix the source code.
I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.