Name of the Vulnerable Software and Affected Versions:

pyload/pyload versions prior to 0.5.0b3.dev31

Description:

The issue concerns a code injection vulnerability in the pyload/pyload GitHub repository. It allows for pre-authentication remote code execution (RCE) due to the integration of JavaScript in Python using the js2py library. Specifically, the `eval js()` function is vulnerable, as it executes JavaScript code passed through the `jk` parameter. This allows attackers to inject arbitrary commands. An example of exploitation is through a POST request to the `/amogus/test` endpoint with malicious `jk` parameter content, such as `jk=pyimport os;os.system("touch /tmp/pwnd");f=function f2(){};`. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited.

Recommendations:

For versions prior to 0.5.0b3.dev31, update to version 0.5.0b3.dev31 or later to resolve the issue.

As a temporary workaround, consider restricting access to the `eval js()` function and the `/amogus/test` endpoint until a patch is applied.

Avoid using the `jk` parameter in the affected API endpoint until the issue is resolved.