diff --git a/advisories/github-reviewed/2025/07/GHSA-8w3f-4r8f-pf53/GHSA-8w3f-4r8f-pf53.json b/advisories/github-reviewed/2025/07/GHSA-8w3f-4r8f-pf53/GHSA-8w3f-4r8f-pf53.json
new file mode 100644
index 0000000000000..de78971c56a6c
--- /dev/null
+++ b/advisories/github-reviewed/2025/07/GHSA-8w3f-4r8f-pf53/GHSA-8w3f-4r8f-pf53.json
@@ -0,0 +1,73 @@
+{
+ "schema_version": "1.4.0",
+ "id": "GHSA-8w3f-4r8f-pf53",
+ "modified": "2025-07-11T13:55:00Z",
+ "published": "2025-07-03T14:00:00Z",
+ "aliases": [
+ "CVE-2025-53890"
+ ],
+ "summary": "Remote Code Execution via unsafe eval() in pyLoad CAPTCHA handler",
+ "details": "An unsafe JavaScript evaluation vulnerability exists in pyLoad’s CAPTCHA processing code, specifically in the `onCaptchaResult()` function located in `captcha-interactive.user.js`. This function directly calls `eval(result)` on user-supplied input without any sanitization, allowing attackers to inject and execute arbitrary JavaScript. If executed in environments that support NodeJS or where server-client contexts are bridged (such as with js2py or unsafe browser logic), this vulnerability can escalate to full remote code execution.\n\nThe vulnerable endpoint `/interactive/captcha` processes POST requests containing the malicious `response` parameter, which is directly injected into an `eval()` call on the client side.\n\nBecause the attack requires no authentication or user interaction, it may be exploited by remote unauthenticated attackers to achieve session hijacking, sensitive data exfiltration, and in certain contexts, server-side command execution. The issue affects official releases prior to commit `909e5c97885237530d1264cfceb5555870eb9546`.\n\nThis vulnerability was discovered and reported by Andri (odaysec).",
+ "severity": [
+ {
+ "type": "CVSS_V3",
+ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+ }
+ ],
+ "affected": [
+ {
+ "package": {
+ "ecosystem": "PyPI",
+ "name": "pyload"
+ },
+ "ranges": [
+ {
+ "type": "GIT",
+ "repo": "https://github.com/pyload/pyload",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "909e5c97885237530d1264cfceb5555870eb9546"
+ }
+ ]
+ }
+ ],
+ "versions": [
+ "0.4.20"
+ ]
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53"
+ },
+ {
+ "type": "FIX",
+ "url": "https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546"
+ },
+ {
+ "type": "WEB",
+ "url": "https://github.com/pyload/pyload/pull/4586"
+ },
+ {
+ "type": "WEB",
+ "url": "https://cheatsheetseries.owasp.org/cheatsheets/JavaScript_Security_Cheat_Sheet.html#eval"
+ },
+ {
+ "type": "WEB",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53890"
+ }
+ ],
+ "database_specific": {
+ "cwe_ids": [
+ "CWE-94"
+ ],
+ "severity": "CRITICAL",
+ "github_reviewed": true,
+ "github_reviewed_at": "2025-07-03T14:00:00Z",
+ "nvd_published_at": "2025-07-03T16:45:00Z"
+ }
+}
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy