Plateforme
python
Composant
pyload-ng
Corrigé dans
0.5.1
0.20
CVE-2025-53890 describes a critical Cross-Site Scripting (XSS) vulnerability within the CAPTCHA processing code of pyLoad-ng. This flaw allows unauthenticated remote attackers to execute arbitrary code within a user's browser, potentially escalating to full Remote Code Execution (RCE) on the backend server. The vulnerability affects versions of pyLoad-ng up to and including 0.5.0b3.dev89, with a fix available in version 0.20.
The impact of CVE-2025-53890 is severe due to its unauthenticated nature and potential for complete system compromise. An attacker can inject malicious JavaScript code through the CAPTCHA result, which is then directly evaluated by the onCaptchaResult() function. This allows them to steal user session cookies, hijack accounts, and potentially execute arbitrary commands on the server if the application has sufficient privileges. The direct evaluation of attacker-controlled input without sanitization is the root cause, mirroring the dangers of similar XSS vulnerabilities where malicious scripts can be injected and executed.
While no public exploits have been widely reported, the ease of exploitation and unauthenticated nature of the vulnerability make it a high-priority concern. The vulnerability's presence on GitHub suggests potential for rapid exploitation. The CVSS score of 9.8 indicates a critical severity. Public proof-of-concept code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2025-07-15.
Organizations utilizing pyLoad-ng for media downloading and management, particularly those with publicly accessible CAPTCHA endpoints, are at significant risk. Environments with legacy configurations or those lacking robust input validation practices are especially vulnerable. Shared hosting environments where multiple users share the same pyLoad-ng instance are also at increased risk.
• python / server: Monitor pyLoad-ng logs for unusual activity or errors related to CAPTCHA processing. Look for suspicious JavaScript code being passed as CAPTCHA results.
grep -i 'eval' /var/log/pyload-ng/error.log• generic web: Use curl or wget to test CAPTCHA endpoints with payloads containing JavaScript code. Examine the response for signs of script execution (e.g., an alert box).
curl -X POST -d 'result=<script>alert("XSS")</script>' <pyload-ng_captcha_endpoint>disclosure
Statut de l'Exploit
EPSS
0.64% (percentile 70%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-53890 is to immediately upgrade pyLoad-ng to version 0.20 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious JavaScript code in the CAPTCHA result. Additionally, carefully review and sanitize all user-supplied input before rendering it in the browser. Implement strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, limiting the impact of a successful XSS attack. After upgrading, confirm the fix by attempting to submit a CAPTCHA result containing a simple JavaScript payload (e.g., alert('XSS')) and verifying that it is not executed.
Actualice pyLoad a la versión 0.5.0b3.dev89 o superior. Esto corrige la vulnerabilidad de ejecución remota de código causada por una evaluación insegura de JavaScript en el procesamiento de CAPTCHA. La actualización previene la ejecución de código arbitrario en el navegador del cliente y potencialmente en el servidor backend.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-53890 is a critical XSS vulnerability in pyLoad-ng versions up to 0.5.0b3.dev89, allowing attackers to execute malicious scripts via the CAPTCHA processing code.
Yes, if you are running pyLoad-ng versions 0.5.0b3.dev89 or earlier, you are vulnerable to this XSS attack.
Upgrade pyLoad-ng to version 0.20 or later to resolve this vulnerability. Implement WAF rules and CSP headers as temporary mitigations.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the official pyLoad-ng GitHub repository and associated security advisories for the latest information and updates regarding CVE-2025-53890.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.