Unsafe JavaScript Evaluation in pyload Download Manager
CVE-2025-53890

9.8CRITICAL

Key Information:

Vendor

Pyload

Status
Pyload
Vendor
CVE Published:
15 July 2025

What is CVE-2025-53890?

A significant vulnerability exists in pyload's CAPTCHA processing, which is susceptible to unsafe JavaScript evaluation. This flaw enables unauthenticated remote attackers to execute arbitrary code within the client's browser. Such exploitation does not require user interaction or authentication, leading to critical security risks, including session hijacking and credential theft. If successfully exploited, this vulnerability can affect both the client-side and potentially the backend server, exposing users to severe threats. The issue has been addressed in version 0.5.0b3.dev89.

Affected Version(s)

pyload < 0.5.0b3.dev89

References

https://github.com/pyload/pyload/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/pyload/pyload/pull/4586
x_refsource_MISC
https://github.com/pyload/pyload/commit/909e5c97885237530...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.