CVE-2025-53890
Published: 15 July 2025
Summary
CVE-2025-53890 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the CVE by requiring timely patching to version 0.5.0b3.dev89, which includes the fix for unsafe JavaScript evaluation in CAPTCHA processing.
Information input validation prevents unauthenticated attackers from injecting arbitrary JavaScript code into the CAPTCHA processing that could be unsafely evaluated.
Mobile code controls restrict and scan JavaScript execution, mitigating arbitrary code execution from unsafe evaluation in pyload's CAPTCHA processing code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via unsafe code eval (CWE-94) in public-facing pyload web app enables T1190 exploitation and T1059.006 Python interpreter execution on backend.
NVD Description
pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no…
more
user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.
Deeper analysisAI
CVE-2025-53890 is an unsafe JavaScript evaluation vulnerability in pyload, an open-source download manager written in pure Python. The flaw resides in pyload's CAPTCHA processing code, enabling unauthenticated remote attackers to execute arbitrary code. It affects versions of pyload prior to the patch committed as 909e5c97885237530d1264cfceb5555870eb9546, which is included in version 0.5.0b3.dev89. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution in the victim's client browser and potentially on the backend server, leading to session hijacking, credential theft, and full system remote code execution.
Mitigation is available via the referenced commit 909e5c97885237530d1264cfceb5555870eb9546, incorporated into pyload version 0.5.0b3.dev89. Additional details are provided in the pyload GitHub security advisory GHSA-8w3f-4r8f-pf53 and the associated pull request #4586. Security practitioners should update to the patched version and review CAPTCHA handling in similar Python-based web applications.
Details
- CWE(s)