CVE-2025-61773
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
pyLoad is a free and open-source download manager written in Python. In versions prior to 0.5.0b3.dev91, pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted. user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow. CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests. Version 0.5.0b3.dev91 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-14
Generated
2026-05-07
AI Q&A
2025-10-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61773
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyload pyload 0.5.0b3.dev91
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-61773 is a security vulnerability in the pyLoad download manager's web interface prior to version 0.5.0b3.dev91. It arises from insufficient input validation and sanitization of user-supplied parameters in the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allows attackers to inject arbitrary content into the web UI or manipulate request handling, potentially leading to client-side code execution such as Cross-Site Scripting (XSS) or other unintended behaviors. Specifically, crafted malicious HTTP requests can alter the application's execution flow by exploiting unsafe handling of untrusted input, enabling execution of arbitrary JavaScript in the context of the pyLoad Web UI. [2]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including allowing attackers to execute arbitrary JavaScript code within the pyLoad Web UI. This can enable attackers to impersonate administrators, steal authentication cookies or tokens, and perform unauthorized actions within the application. The risk is especially high if the Web UI is exposed over a network without additional access controls, as attackers can remotely exploit the vulnerability via crafted links or requests. The vulnerability has a high severity rating with a CVSS v3.1 base score of 8.1, indicating high confidentiality and integrity impacts but no impact on availability. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious HTTP requests to the pyLoad web interface, specifically targeting the vulnerable endpoints such as `/flash/addcrypted2`. For example, crafted GET requests containing JavaScript payloads in parameters like `jk` (e.g., `jk=function(){alert(1)}`) indicate attempts to exploit the vulnerability. You can use network monitoring tools or command-line utilities like curl or tcpdump to detect such requests. Example command to test the vulnerability manually: `curl -G 'http://<pyload-server>/flash/addcrypted2' --data-urlencode 'jk=function(){alert(1)}'` and observe if the payload is reflected or executed in the web UI. Additionally, inspecting web server logs for unusual or suspicious parameter values in requests to the Captcha script endpoint or CNL blueprint endpoints can help detect exploitation attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading pyLoad to version 0.5.0b3.dev91 or later, where the vulnerability is patched. The patch enforces strict input validation and sanitization using `werkzeug.utils.secure_filename` for filenames, origin whitelisting for message listeners in the Captcha script, and path traversal prevention checks. If upgrading immediately is not possible, restrict access to the pyLoad web interface by limiting network exposure (e.g., firewall rules, VPN access) to trusted users only, and monitor for suspicious requests. Additionally, consider applying temporary web application firewall (WAF) rules to block requests containing suspicious payloads targeting the vulnerable endpoints. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart