Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.0b3.dev91
CVE-2025-61773 describes a cross-site scripting (XSS) vulnerability affecting pyLoad-ng versions up to 0.5.0b3.dev90. This flaw stems from insufficient input validation within the web interface's Captcha script endpoint and Click'N'Load (CNL) Blueprint, allowing attackers to inject malicious content. Successful exploitation could lead to client-side code execution and other unintended behaviors, potentially compromising user sessions and system integrity. The vulnerability has been resolved in version 0.5.0b3.dev91.
An attacker can exploit this XSS vulnerability by crafting malicious payloads and submitting them through the Captcha script endpoint or the Click'N'Load Blueprint. The lack of proper input validation allows these payloads to be processed unsafely, injecting arbitrary content into the web UI. This injected content can then execute client-side scripts, potentially stealing user cookies, redirecting users to phishing sites, or defacing the pyLoad-ng web interface. The impact extends beyond simple defacement; an attacker could leverage this vulnerability to gain persistent access to the system if they can execute malicious code within the context of a legitimate user's session. The potential for lateral movement depends on the privileges of the user account accessing the vulnerable pyLoad-ng instance, but the blast radius could be significant if the system is part of a larger network.
CVE-2025-61773 was publicly disclosed on 2025-10-09. The vulnerability's severity is rated as HIGH (CVSS 8.1). As of this writing, there are no known public proof-of-concept exploits available, but the ease of exploitation inherent in XSS vulnerabilities suggests that a PoC could emerge quickly. It is not currently listed on CISA KEV, but its potential for client-side code execution warrants ongoing monitoring.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-61773 is to upgrade pyLoad-ng to version 0.5.0b3.dev91 or later, which contains the necessary input validation fixes. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. These may include restricting access to the Captcha script endpoint and Click'N'Load Blueprint to trusted users only. Web application firewalls (WAFs) can be configured to filter out potentially malicious input based on known XSS patterns. Regularly review and sanitize user input within the pyLoad-ng web interface to prevent future vulnerabilities. After upgrading, confirm the fix by attempting to submit a known malicious payload through the Captcha script endpoint and verifying that it is properly sanitized and does not execute.
Actualice pyLoad a la versión 0.5.0b3.dev91 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección de código. Puede descargar la última versión desde el repositorio oficial de pyLoad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61773 is a cross-site scripting (XSS) vulnerability in pyLoad-ng versions up to 0.5.0b3.dev90, allowing attackers to inject malicious content into the web interface.
You are affected if you are using pyLoad-ng version 0.5.0b3.dev90 or earlier. Upgrade to 0.5.0b3.dev91 or later to mitigate the risk.
Upgrade pyLoad-ng to version 0.5.0b3.dev91 or later. Consider temporary workarounds like restricting access to vulnerable endpoints if an immediate upgrade is not possible.
While no public exploits are currently known, the ease of exploitation inherent in XSS vulnerabilities suggests potential for active exploitation. Continuous monitoring is recommended.
Refer to the official pyLoad-ng project website or repository for the latest security advisories and updates related to CVE-2025-61773.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.