CVE-2024-28397: 
Python vulnerability analysis and mitigation

CVE-2024-28397 affects js2py versions up to v0.74, a popular Python package used for evaluating JavaScript code inside Python interpreters. The vulnerability was discovered in February 2024 and publicly disclosed on June 20, 2024. The affected component is js2py.disable_pyimport(), which is commonly used in web scrapers and applications for parsing JavaScript code (GitHub PoC).

The vulnerability exists in the implementation of a global variable inside js2py that allows attackers to obtain a reference to a Python object in the js2py environment. This enables attackers to escape the JavaScript environment despite the use of js2py.disable_pyimport(), which is intended to prevent such escapes. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (NVD).

The vulnerability allows attackers to execute arbitrary code on the host system by bypassing the JavaScript sandbox restrictions. This affects multiple popular projects including pyload, cloudscraper (which uses js2py as an optional JavaScript interpreter), and lightnovel-crawler. With over 1 million monthly downloads, the impact of this vulnerability is significant (Security Online).

Currently, there is no official patch available from the js2py maintainers. However, users can apply the fix provided by security researcher Marven11 either dynamically using the fix.py script or by manually patching the source code with the instructions in patch.txt (GitHub PoC).