CVE-2025-57751

pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerability is fixed in 0.5.0b3.dev92.

CVSS

No CVSS.

References

Link	Resource
https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj

Configurations

No configuration.

History

22 Aug 2025, 18:08

Type	Values Removed	Values Added
Summary		(es) pyLoad es un gestor de descargas gratuito y de código abierto, escrito en Python puro. El parámetro jk se recibe en el CNL Blueprint de pyLoad. Debido a la falta de verificación del parámetro jk, el parámetro jk introducido por el usuario se determina directamente como dykpy.evaljs(), lo que provoca que la CPU del servidor se ocupe por completo y que la interfaz web deje de responder. Esta vulnerabilidad se corrigió en la versión 0.5.0b3.dev92.

21 Aug 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-21 19:15

Updated : 2025-08-22 18:08

NVD link : CVE-2025-57751

Mitre link : CVE-2025-57751

CVE.ORG link : CVE-2025-57751

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2025-57751", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-21T19:15:43.227", "references": [{"url": "https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerability is fixed in 0.5.0b3.dev92."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto, escrito en Python puro. El par\u00e1metro jk se recibe en el CNL Blueprint de pyLoad. Debido a la falta de verificaci\u00f3n del par\u00e1metro jk, el par\u00e1metro jk introducido por el usuario se determina directamente como dykpy.evaljs(), lo que provoca que la CPU del servidor se ocupe por completo y que la interfaz web deje de responder. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.5.0b3.dev92."}], "lastModified": "2025-08-22T18:08:51.663", "sourceIdentifier": "security-advisories@github.com"}