CVE-2025-53890
Published: 15 July 2025
Summary
CVE-2025-53890 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).
Deeper analysis
pyload is an open-source download manager written in pure Python that contains an unsafe JavaScript evaluation vulnerability in its CAPTCHA processing code. The flaw, tracked as CVE-2025-53890 and assigned CWE-94, permits arbitrary code execution and carries a CVSS 3.1 score of 9.8. It affects all versions prior to the patched release 0.5.0b3.dev89.
Unauthenticated remote attackers can exploit the issue over the network without user interaction or credentials. Successful attacks enable arbitrary code execution in the client browser and potentially on the backend server, leading to session hijacking, credential theft, and full system remote code execution.
The official patch is provided in commit 909e5c97885237530d1264cfceb5555870eb9546 and is documented in GitHub security advisory GHSA-8w3f-4r8f-pf53 along with the associated pull request. The current and peak EPSS scores both stand at 0.0107, indicating no material increase in observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21406
Vulnerability details
pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no…
more
user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via unsafe code eval (CWE-94) in public-facing pyload web app enables T1190 exploitation and T1059.006 Python interpreter execution on backend.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the CVE by requiring timely patching to version 0.5.0b3.dev89, which includes the fix for unsafe JavaScript evaluation in CAPTCHA processing.
Information input validation prevents unauthenticated attackers from injecting arbitrary JavaScript code into the CAPTCHA processing that could be unsafely evaluated.
Mobile code controls restrict and scan JavaScript execution, mitigating arbitrary code execution from unsafe evaluation in pyload's CAPTCHA processing code.