CVE-2022-30286
published 2022-05-09CVE-2022-30286: pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
13.00%
95.8th percentile
pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyscript | pyscript | <= 2022-05-04 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for PyScript applications reading arbitrary local filesystem paths (e.g. /lib/python3.10/) via Python open() calls executed in the browser's Emscripten virtual memory (VMemory) — this is the core exploitation primitive for CVE-2022-30286. ↗
- →Detect exfiltration of read file contents via a console.log override that base64-encodes captured output and POSTs it to an attacker-controlled endpoint — look for outbound POST requests with Content-Type: text/plain;charset=utf-8 and a JSON body containing a 'content' key with base64 data originating from a PyScript page. ↗
- →Flag PyScript pages (those loading pyscript.js or containing <py-script> tags) where inline script overrides console.log to intercept and exfiltrate printed output — this is the attacker's data-theft mechanism for source code read via CVE-2022-30286. ↗
- ·The exploit targets PyScript version 2022-05-04-Alpha specifically; later versions may not expose the same Emscripten VMemory filesystem paths to arbitrary open() calls. ↗
- ·The exploit was tested on an Ubuntu Apache Server environment; the accessible VMemory paths (e.g. /lib/python3.10/) are Emscripten virtual paths and may differ across deployment configurations. ↗
- ·The exfiltration URL in the PoC is a placeholder (YOURburpcollaborator.net); in real attacks this will be replaced with an attacker-controlled OOB collection endpoint — detections should not rely on this specific domain. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.htmlhttps://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscripthttps://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-readhttps://github.com/pyscript/pyscript/commits/mainhttps://www.exploit-db.com/exploits/50918http://packetstormsecurity.com/files/167069/PyScript-2022-05-04-Alpha-Source-Code-Disclosure.htmlhttps://cyber-guy.gitbook.io/cyber-guy/blogs/the-art-of-vulnerability-chaining-pyscripthttps://cyber-guy.gitbook.io/cyber-guy/pocs/pyscript-file-readhttps://github.com/pyscript/pyscript/commits/mainhttps://www.exploit-db.com/exploits/50918
2022-05-09
Published