CVE-2024-39205

CRITICAL

pyload-ng v0.5.0b3.dev85 - Remote Code Execution via Crafted HTTP Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-39205. PoCs published by Marven11, btar1gan, Marven11, Spencer McIntyre, jheysel-r7, including Metasploit module exploits/linux/http/pyload_js2py_cve_2024_39205.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-39205, which leverages a js2py sandbox escape (CVE-2024-28397) in pyload-ng's `/flash/addcrypted2` API endpoint to achieve remote code execution. The exploit bypasses localhost restrictions via HTTP headers and executes arbitrary shell commands on vulnerable systems.

Description

An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.

Exploits (3)

nomisec WORKING POC 17 stars
by Marven11 · poc
https://github.com/Marven11/CVE-2024-39205-Pyload-RCE

This repository contains a functional exploit for CVE-2024-39205, which leverages a js2py sandbox escape (CVE-2024-28397) in pyload-ng's `/flash/addcrypted2` API endpoint to achieve remote code execution. The exploit bypasses localhost restrictions via HTTP headers and executes arbitrary shell commands on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: pyload-ng (<=0.5.0b3.dev85) running on Python 3.11 or below
No auth needed
Prerequisites: Network access to the target pyload-ng instance · Target running Python 3.11 or below
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by btar1gan · poc
https://github.com/btar1gan/exploit_CVE-2024-39205

This exploit leverages a JavaScript-based reverse shell payload, likely targeting a Node.js or similar environment vulnerable to CVE-2024-39205. It uses prototype manipulation and subprocess execution to achieve remote code execution (RCE).

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a Node.js application or similar)
No auth needed
Prerequisites: Vulnerable application exposed to attacker-controlled input · Network connectivity to attacker's listener
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Marven11, Spencer McIntyre, jheysel-r7 · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb

This Metasploit module exploits CVE-2024-39205 in Pyload by leveraging a js2py sandbox escape (CVE-2024-28397) to achieve unauthenticated remote code execution via the /flash/addcrypted2 API endpoint. It bypasses localhost restrictions using the HOST header and executes arbitrary commands through a crafted JavaScript payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pyload <=0.5.0b3.dev85
No auth needed
Prerequisites: Network access to the target · Pyload service running on port 9666
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.1651
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

Status published
Products (1)
pypi/pyload-ng 0PyPI
Published Oct 28, 2024
Tracked Since Feb 18, 2026