Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.20
CVE-2025-53890 describes a critical Cross-Site Scripting (XSS) vulnerability within the CAPTCHA processing code of pyLoad-ng. This flaw allows unauthenticated remote attackers to execute arbitrary code within a user's browser, potentially escalating to full Remote Code Execution (RCE) on the backend server. The vulnerability affects versions of pyLoad-ng up to and including 0.5.0b3.dev89, with a fix available in version 0.20.
The impact of CVE-2025-53890 is severe due to its unauthenticated nature and potential for complete system compromise. An attacker can inject malicious JavaScript code through the CAPTCHA result, which is then directly evaluated by the onCaptchaResult() function. This allows them to steal user session cookies, hijack accounts, and potentially execute arbitrary commands on the server if the application has sufficient privileges. The direct evaluation of attacker-controlled input without sanitization is the root cause, mirroring the dangers of similar XSS vulnerabilities where malicious scripts can be injected and executed.
While no public exploits have been widely reported, the ease of exploitation and unauthenticated nature of the vulnerability make it a high-priority concern. The vulnerability's presence on GitHub suggests potential for rapid exploitation. The CVSS score of 9.8 indicates a critical severity. Public proof-of-concept code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2025-07-15.
Exploit Status
EPSS
0.64% (70% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-53890 is to immediately upgrade pyLoad-ng to version 0.20 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript code in the CAPTCHA result. Additionally, carefully review and sanitize all user-supplied input before rendering it in the browser. Implement strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, limiting the impact of a successful XSS attack. After upgrading, confirm the fix by attempting to submit a CAPTCHA result containing a simple JavaScript payload (e.g., alert('XSS')) and verifying that it is not executed.
Update pyLoad to version 0.5.0b3.dev89 or higher. This corrects the remote code execution vulnerability caused by insecure JavaScript evaluation in CAPTCHA processing. The update prevents the execution of arbitrary code in the client browser and potentially on the backend server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-53890 is a critical XSS vulnerability in pyLoad-ng versions up to 0.5.0b3.dev89, allowing attackers to execute malicious scripts via the CAPTCHA processing code.
Yes, if you are running pyLoad-ng versions 0.5.0b3.dev89 or earlier, you are vulnerable to this XSS attack.
Upgrade pyLoad-ng to version 0.20 or later to resolve this vulnerability. Implement WAF rules and CSP headers as temporary mitigations.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the official pyLoad-ng GitHub repository and associated security advisories for the latest information and updates regarding CVE-2025-53890.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.