CVE-2024-28397 identifies a vulnerability in the js2py library, a tool that translates Python code into JavaScript. The issue resides in the disable_pyimport() function, which is intended to restrict Python import capabilities within the js2py environment. However, due to improper input validation and control over code generation (CWE-94), attackers can craft specific API calls that bypass these restrictions and execute arbitrary code. The vulnerability requires the attacker to have local privileges (AV:L) and low complexity (AC:L) to exploit, with no user interaction needed (UI:N). The scope is unchanged (S:U), and the impact affects confidentiality, integrity, and availability at a low level (C:L/I:L/A:L). This means attackers can potentially execute code that compromises the system or application using js2py, but the attack vector is limited to local or privileged users. The vulnerability affects all versions up to 0.74 of js2py, with no patch currently available. No known exploits have been reported in the wild, but the risk remains for environments where js2py is used in sensitive or exposed contexts.

The vulnerability allows local attackers with some privileges to execute arbitrary code, which can lead to unauthorized actions such as data leakage, modification, or service disruption. While the impact on confidentiality, integrity, and availability is rated low, the ability to run arbitrary code can be leveraged for privilege escalation or lateral movement within an organization’s network. Systems embedding js2py in web applications, automation scripts, or development tools are at risk. The limited attack vector (local access required) reduces the likelihood of widespread remote exploitation but does not eliminate risk in multi-user or shared environments. Organizations using js2py in critical infrastructure or sensitive environments could face operational disruptions or data compromise if exploited.

1. Restrict access to systems and environments where js2py is deployed to trusted users only, minimizing the risk of local exploitation. 2. Implement strict input validation and sandboxing around js2py usage to prevent untrusted code execution. 3. Monitor and audit API calls to detect unusual or crafted inputs targeting disable_pyimport(). 4. Consider isolating js2py execution environments using containerization or virtual machines to limit potential damage. 5. Stay updated with js2py releases and apply patches promptly once available. 6. If feasible, review and modify application code to avoid reliance on disable_pyimport() or replace js2py with alternative libraries that do not have this vulnerability. 7. Employ endpoint protection solutions that can detect anomalous code execution patterns locally.