Plattform
python
Komponente
pyload-ng
Behoben in
0.5.1
0.5.0b3.dev91
CVE-2025-61773 describes a cross-site scripting (XSS) vulnerability affecting pyLoad-ng versions up to 0.5.0b3.dev90. This flaw stems from insufficient input validation within the web interface's Captcha script endpoint and Click'N'Load (CNL) Blueprint, allowing attackers to inject malicious content. Successful exploitation could lead to client-side code execution and other unintended behaviors, potentially compromising user sessions and system integrity. The vulnerability has been resolved in version 0.5.0b3.dev91.
An attacker can exploit this XSS vulnerability by crafting malicious payloads and submitting them through the Captcha script endpoint or the Click'N'Load Blueprint. The lack of proper input validation allows these payloads to be processed unsafely, injecting arbitrary content into the web UI. This injected content can then execute client-side scripts, potentially stealing user cookies, redirecting users to phishing sites, or defacing the pyLoad-ng web interface. The impact extends beyond simple defacement; an attacker could leverage this vulnerability to gain persistent access to the system if they can execute malicious code within the context of a legitimate user's session. The potential for lateral movement depends on the privileges of the user account accessing the vulnerable pyLoad-ng instance, but the blast radius could be significant if the system is part of a larger network.
CVE-2025-61773 was publicly disclosed on 2025-10-09. The vulnerability's severity is rated as HIGH (CVSS 8.1). As of this writing, there are no known public proof-of-concept exploits available, but the ease of exploitation inherent in XSS vulnerabilities suggests that a PoC could emerge quickly. It is not currently listed on CISA KEV, but its potential for client-side code execution warrants ongoing monitoring.
Organizations utilizing pyLoad-ng for download management and those with publicly accessible instances are at risk. Specifically, deployments using older versions (≤0.5.0b3.dev90) and those with limited input validation practices are particularly vulnerable. Shared hosting environments where multiple users share the same pyLoad-ng instance are also at increased risk.
• python: Monitor pyLoad-ng logs for unusual HTTP requests containing suspicious characters or patterns commonly associated with XSS attacks (e.g., <script>, <iframe>, javascript:).
• generic web: Use curl or wget to test the Captcha script endpoint and Click'N'Load Blueprint with various payloads containing XSS patterns. Examine the response for signs of code execution.
curl -X POST -d '<script>alert("XSS")</script>' https://your-pyload-ng-instance/captcha• generic web: Inspect access and error logs for requests containing XSS payloads or resulting in errors related to script execution. • generic web: Check response headers for unexpected content or modifications that could indicate XSS activity.
disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-61773 is to upgrade pyLoad-ng to version 0.5.0b3.dev91 or later, which contains the necessary input validation fixes. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. These may include restricting access to the Captcha script endpoint and Click'N'Load Blueprint to trusted users only. Web application firewalls (WAFs) can be configured to filter out potentially malicious input based on known XSS patterns. Regularly review and sanitize user input within the pyLoad-ng web interface to prevent future vulnerabilities. After upgrading, confirm the fix by attempting to submit a known malicious payload through the Captcha script endpoint and verifying that it is properly sanitized and does not execute.
Actualice pyLoad a la versión 0.5.0b3.dev91 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección de código. Puede descargar la última versión desde el repositorio oficial de pyLoad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-61773 is a cross-site scripting (XSS) vulnerability in pyLoad-ng versions up to 0.5.0b3.dev90, allowing attackers to inject malicious content into the web interface.
You are affected if you are using pyLoad-ng version 0.5.0b3.dev90 or earlier. Upgrade to 0.5.0b3.dev91 or later to mitigate the risk.
Upgrade pyLoad-ng to version 0.5.0b3.dev91 or later. Consider temporary workarounds like restricting access to vulnerable endpoints if an immediate upgrade is not possible.
While no public exploits are currently known, the ease of exploitation inherent in XSS vulnerabilities suggests potential for active exploitation. Continuous monitoring is recommended.
Refer to the official pyLoad-ng project website or repository for the latest security advisories and updates related to CVE-2025-61773.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.