CVE-2017-7235: cfscrape Improper Input Validation vulnerability
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61711%
CWE
Published
7/13/2018
Updated
9/13/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
cfscrape | pip | >= 1.6.6, <= 1.7.1 | 1.8.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper input validation when processing JavaScript challenges. The library used js2py to execute JavaScript from scraped pages but didn't disable the pyimport feature. This allowed attackers to craft JS with pyimport statements to execute arbitrary Python code. The fix in 1.8.0 explicitly calls js2py.disable_pyimport(), confirming the vulnerable code path was in the challenge-solving logic. The solve_challenge function is the primary point where JS evaluation occurs, making it the clear vulnerable component.