ghsa-8w3f-4r8f-pf53
Vulnerability from github
Published
2025-07-15 15:38
Modified
2025-07-15 15:38
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
pyLoad vulnerable to XSS through insecure CAPTCHA
Details

Summary

An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.

Details

The vulnerable code resides in javascript function onCaptchaResult(result) { eval(result); // Direct execution of attacker-controlled input }

  • The onCaptchaResult() function directly passes CAPTCHA results (sent from the user) into eval()
  • No sanitization or validation is performed on this input
  • A malicious CAPTCHA result can include JavaScript such as fetch() or child_process.exec() in environments using NodeJS
  • Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it

Reproduction Methods

  1. Official Source Installation: bash git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload

  2. Virtual Environment: bash python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload

CAPTCHA Endpoint Verification

Technical Clarification:
1. The vulnerable endpoint is actually: /interactive/captcha

  1. Complete PoC Request: ```http POST /interactive/captcha HTTP/1.1 Host: localhost:8000 Content-Type: application/x-www-form-urlencoded

cid=123&response=1%3Balert(document.cookie) ```

  1. Curl Command Correction: bash curl -X POST "http://localhost:8000/interactive/captcha" \ -d "cid=123&response=1%3Balert(document.cookie)"

  2. Vulnerable Code Location:
    The eval() vulnerability is confirmed in: src/pyload/webui/app/static/js/captcha-interactive.user.js

Resources

  1. https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546
  2. OWASP: Avoid eval()
  3. #4586
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-15T15:38:10Z",
    "nvd_published_at": "2025-07-15T00:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "#### Summary\nAn unsafe JavaScript evaluation vulnerability in pyLoad\u2019s CAPTCHA processing code allows **unauthenticated remote attackers** to execute **arbitrary code** in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.\n\n\n\n#### Details\nThe vulnerable code resides in \n```javascript\nfunction onCaptchaResult(result) {\n    eval(result); // Direct execution of attacker-controlled input\n}\n```\n\n* The `onCaptchaResult()` function directly passes CAPTCHA results (sent from the user) into `eval()`\n* No sanitization or validation is performed on this input\n* A malicious CAPTCHA result can include JavaScript such as `fetch()` or `child_process.exec()` in environments using NodeJS\n* Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it\n\n\n\n### Reproduction Methods\n1. **Official Source Installation**:\n```bash\ngit clone https://github.com/pyload/pyload\ncd pyload\ngit checkout 0.4.20\npython -m pip install -e .\npyload --userdir=/tmp/pyload\n```\n\n2. **Virtual Environment**:\n```bash\npython -m venv pyload-env\nsource pyload-env/bin/activate\npip install pyload==0.4.20\npyload\n```\n\n## CAPTCHA Endpoint Verification\n\n\n**Technical Clarification**:  \n1. The vulnerable endpoint is actually:\n   ```\n   /interactive/captcha\n   ```\n\n2. Complete PoC Request:\n```http\nPOST /interactive/captcha HTTP/1.1\nHost: localhost:8000\nContent-Type: application/x-www-form-urlencoded\n\ncid=123\u0026response=1%3Balert(document.cookie)\n```\n\n3. Curl Command Correction:\n```bash\ncurl -X POST \"http://localhost:8000/interactive/captcha\" \\\n  -d \"cid=123\u0026response=1%3Balert(document.cookie)\"\n```\n\n\n1. **Vulnerable Code Location**:  \n   The eval() vulnerability is confirmed in:\n   ```\n   src/pyload/webui/app/static/js/captcha-interactive.user.js\n   ```\n\n\n\n### **Resources**\n\n1. https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546\n2. [OWASP: Avoid `eval()`](https://cheatsheetseries.owasp.org/cheatsheets/JavaScript_Security_Cheat_Sheet.html#eval)\n3. [#4586](https://github.com/pyload/pyload/pull/4586)",
  "id": "GHSA-8w3f-4r8f-pf53",
  "modified": "2025-07-15T15:38:10Z",
  "published": "2025-07-15T15:38:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/pull/4586"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyLoad vulnerable to XSS through insecure CAPTCHA "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.