AI description
CVE-2024-28397 is a code injection vulnerability found in the `js2py` Python library, which functions as a JavaScript to Python translator and interpreter. This flaw specifically impacts the `js2py.disable_pyimport()` function, a feature designed to create a sandboxed environment by preventing JavaScript code from importing Python modules. However, the vulnerability allows an attacker to bypass this security mechanism. Through a specially crafted API call, an attacker can exploit this vulnerability to escape the intended sandbox and gain the ability to execute arbitrary code within the Python environment. This issue affects `js2py` versions up to and including 0.74.
- Description
- An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
- Source
- cve@mitre.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 5.3
- Impact score
- 3.4
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-94
- Hype score
- Not currently trending
HackTheBox - CodeTwo 🧠 RCE en js2py (CVE-2024-28397) 🔑 Credenciales en base de datos SQLite 🛠️ Privesc via sudo + npbackup-cli https://t.co/TEJuq08AJV
@sckull_
31 Jan 2026
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New HackTheBox walkthrough: CodePartTwo Exploiting js2py CVE-2024-28397 sandbox escape for initial access, then privilege escalation through NPBackup misconfiguration to extract root SSH keys. Full breakdown from recon to root. https://t.co/uhc2UsUyr9 #HackTheBox #OSCP https:/
@Strikoder
31 Jan 2026
88 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CodeTwo from @hackthebox_eu features a js2py sandbox escape via CVE-2024-28397, MD5 hash cracking from SQLite, and abusing npbackup-cli sudo permissions to read root's SSH key from backups. https://t.co/RfU6qnxioj
@0xdf_
31 Jan 2026
1821 Impressions
11 Retweets
46 Likes
10 Bookmarks
0 Replies
0 Quotes
Hey, I coded a script, no "box" mention! Dunno who’ll use it sandbox escape, CVE-2024-28397, RCE! 😜 https://t.co/ibp5yaSL7g #0xdtc
@DTCx0
15 Sept 2025
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
https://t.co/Rz2kwysXs1 My Repo -> CVE-2024-28397 js2py Sandbox Escape Exploit - (CodePartTwo - HTB) https://t.co/kx7y2Scbr3
@naclapor
9 Sept 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes