A major vulnerability has been identified in the widely used Python library js2py. This library is utilized by numerous web scrapers and applications, and it receives more than one million monthly downloads.
The vulnerability, identified as CVE-2024-28397, is of the highest severity and enables malicious actors to execute any commands they desire on a system through the use of js2py.
In February, Marven11, a security researcher, identified the issue. He promptly submitted a patch to the official js2py repository. Marven11 elected to inform the public of the issue and the solution.
After four months of silence from the project maintainers, Marven11 has decided to go public with both the proof-of-concept exploit and the fix.
js2py is a favored tool among Python developers due to its ability to integrate JavaScript into their applications.
It is favored by numerous web scraping tools due to its ability to receive and execute JavaScript from web pages.
However, this attribute is currently hazardous. It is possible for malicious actors to deceive an individual into executing a JavaScript file that is harmful.
This can be accomplished by means of a fabricated API call or a compromised website. The perpetrator has the ability to assume control of the host system and execute any command they desire when the harmful script is executed.
The vulnerability is present in all versions of js2py, including version 0.74, when they are operating under Python versions below 3.12.
Additionally, the utilization of js2py poses a threat to numerous prominent projects, including pyload, cloudscraper, and lightnovel-crawler.
At present, the js2py maintainers have not issued an official patch. However, the modification implemented by Marven11 is accessible to users.
They can accomplish this by manually altering the source code in accordance with the instructions in patch.txt or by employing a fix.py script.
Developers and administrators should promptly update or resolve any applications that utilize js2py due to the severity of this issue. Remote code execution attacks pose an overwhelming danger that cannot be disregarded.