Critical Remote Code Execution in Js2Py 0.74 (CVE‑2024‑28397) – Sandbox Escape Affects Multiple Web‑Apps
What Happened – A remote‑code‑execution vulnerability (CVE‑2024‑28397) was discovered in the Python library Js2Py 0.74. By abusing Object.getOwnPropertyNames an attacker can break out of the JavaScript sandbox, locate the Python subprocess.Popen class, and execute arbitrary commands on the host system. Public exploit code is available on Exploit‑DB.
Why It Matters for TPRM –
- The flaw resides in a third‑party library that many SaaS, API, and cloud‑native services embed, creating a supply‑chain attack surface.
- Successful exploitation can lead to full host compromise, exposing downstream data and services.
- The exploit is trivial to weaponize (single‑line payload) and works on both macOS and Linux environments.
Who Is Affected – Companies that integrate Js2Py into web applications, API back‑ends, or server‑side JavaScript‑to‑Python translation layers – notably SaaS platforms, cloud‑infra tooling, and any service exposing user‑controlled JavaScript execution.
Recommended Actions –
- Immediately upgrade to Js2Py 0.75 or later (the fix removes the sandbox‑escape path).
- Conduct an inventory of all applications and services that depend on Js2Py ≤ 0.74.
- Apply strict input validation or sandboxing for any user‑supplied JavaScript that is processed by the library.
- Monitor logs for suspicious subprocess activity and consider host‑based EDR alerts for unexpected command execution.
Technical Notes – The vulnerability is a sandbox‑escape via Object.getOwnPropertyNames that leaks internal Python objects, enabling traversal of __subclasses__() to locate subprocess.Popen. No CVE‑specific patch existed at the time of disclosure; the fix was released in version 0.75. Exploit code generates a malicious JavaScript payload that must be injected into a vulnerable input field. Source: https://www.exploit-db.com/exploits/52532