## Introduction


`js2py` is a popular python package that can evaluate javascript code inside python interpreter. It is used by various web scrapers to parse javscript code on the website.

There exist a vulnerability in the implementation of a global variable inside `js2py`, allowing attacker obtaining a reference to a python object in the js2py environment, thus enabling attacker to escape js environment and execute arbitrary commands on the host.

Normally user would call `js2py.disable_pyimport()` to stop javascript code escaping the `js2py` environment. But with this vulnerability attacker can evade this restriction and execute any command on the host.

The threat actor can host a website containing a malicious js file or send a malicious script via HTTP API for victim to parse. By doing that, the actor can commit remote code execution on the host by executing any shell command on the target.

## Details of the vulnerability

- Version number of the affected component:
  - latest js2py (<=0.74) that runs under python 3
- affected products:
  - [pyload/pyload](
  - [VeNoMouS/cloudscraper]( (use js2py as a optional 'js interpreter')
  - [dipu-bd/lightnovel-crawler](
- The steps to reproduce:
  - install python3 under 3.12, currently `js2py` don't support python3.12.
  - Run `pip install js2py` to install `js2py` and execute ``, which would try to execute `head -n 1 /etc/passwd; calc; gnome-calculator; kcalc;` on the host.
  - If the vulnerability exists the script should print `Success! the vulnerability exists...` or pop up calculator.

## Fix

Currently official fix is unavailable, user can use `` to dynamically patch js2py or use patch.txt to fix the source code.

## Others

I found this vulnerability in Feburary, and submit a PR to the official repo. But after that, the PR is being forgot and four months have passed, I decide to release the PoC and the fix now.