CVE-2025-53890
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-07-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload | pyload | * |
| pyload | pyload | 0.19 |
| pyload | pyload | 0.20 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53890 is a critical vulnerability in the pyLoad open-source download manager, specifically in its CAPTCHA processing code. The issue arises because the application unsafely evaluates JavaScript code received from unauthenticated remote attackers without any sanitization or validation, using the JavaScript eval() function. This allows attackers to execute arbitrary code in the client browser and potentially on the backend server, leading to severe consequences such as session hijacking, credential theft, and full system remote code execution. Exploitation requires no user interaction or authentication and targets the /interactive/captcha endpoint by sending crafted POST requests with malicious payloads. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to execute arbitrary code remotely without authentication or user interaction. This can lead to session hijacking, where attackers take over user sessions; credential theft, exposing sensitive login information; and full system remote code execution, potentially compromising the entire server running pyLoad. The high CVSS score (9.8) reflects the critical nature and ease of exploitation of this vulnerability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the vulnerable endpoint `/interactive/captcha` for unsafe JavaScript evaluation. Specifically, sending crafted POST requests to this endpoint with parameters such as `cid` and `response` containing malicious payloads (e.g., `response=1;alert(document.cookie)`) can reveal if the system is vulnerable. Detection can involve using tools like curl or similar HTTP clients to send these requests and observe if arbitrary code execution or unexpected behavior occurs. For example, a command to test might be: `curl -X POST https://<target>/interactive/captcha -d 'cid=someid&response=1;alert(document.cookie)'`. If the alert or code execution is triggered, the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating pyLoad to version 0.20 or later, where the vulnerability is patched. The patch replaces unsafe `eval()` calls with a safer `Function` constructor, adds RSA signature verification of incoming scripts, and enforces strict mode execution to prevent arbitrary code execution. If updating immediately is not possible, restrict access to the `/interactive/captcha` endpoint to trusted users or networks, and monitor for suspicious POST requests. Avoid using or deploying versions prior to 0.20 that contain the unsafe JavaScript evaluation. Applying the official patch or upgrade is the most effective mitigation. [1, 2, 3]