CVE-2022-30286
Published: 09 May 2022
Summary
CVE-2022-30286 is a high-severity an unspecified weakness vulnerability in Pyscript Pyscript. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is an information disclosure flaw in pyscriptjs, also known as the PyScript Demonstrator, affecting PyScript versions through 2022-05-04. It enables unauthorized access to Python source code hosted by the affected component, rated at CVSS 7.5 for network-accessible confidentiality impact without authentication or user interaction.
A remote attacker can exploit the issue over the network to retrieve Python source files that should remain private, exposing application logic and potentially sensitive embedded data. Public proof-of-concept code and exploit modules have been published that demonstrate direct file reads against exposed PyScript deployments.
References include detailed PoCs, vulnerability chaining examples, and links to the project's commit history, but no explicit patch or mitigation guidance is provided in the available sources. The EPSS score has remained at 0.3080 without a notable rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52238
Vulnerability details
pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.