Introduction 中文 js2py is a popular python package that can evaluate javascript code inside python interpreter. It is used by various web scrapers to parse javscript code on the website. There exist a vulnerability in the implementation of a global variable inside js2py, allowing attacker obtaining a reference to a python object in the js2py environment, thus enabling attacker to escape js environment and execute arbitrary commands on the host. Normally user would call js2py.disable_pyimport() to stop javascript code escaping the js2py environment. But with this vulnerability attacker can evade this restriction and execute any command on the host. The threat actor can host a website containing a malicious js file or send a malicious script via HTTP API for victim to parse. By doing that, the actor can commit remote code execution on the host by executing any shell command on the target. Details of the vulnerability Version number of the affected component: latest js2py (<=0.74) that runs under python 3 affected products: pyload/pyload VeNoMouS/cloudscraper (use js2py as a optional 'js interpreter') dipu-bd/lightnovel-crawler The steps to reproduce: install python3 under 3.12, currently js2py don't support python3.12. Run pip install js2py to install js2py and execute poc.py, which would try to execute head -n 1 /etc/passwd; calc; gnome-calculator; kcalc; on the host. If the vulnerability exists the script should print Success! the vulnerability exists… or pop up…Read More