Cyber Resilience

CVE-2025-53890

CriticalRCE

Published: 15 July 2025

Published
15 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0107 78.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53890 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Deeper analysis

pyload is an open-source download manager written in pure Python that contains an unsafe JavaScript evaluation vulnerability in its CAPTCHA processing code. The flaw, tracked as CVE-2025-53890 and assigned CWE-94, permits arbitrary code execution and carries a CVSS 3.1 score of 9.8. It affects all versions prior to the patched release 0.5.0b3.dev89.

Unauthenticated remote attackers can exploit the issue over the network without user interaction or credentials. Successful attacks enable arbitrary code execution in the client browser and potentially on the backend server, leading to session hijacking, credential theft, and full system remote code execution.

The official patch is provided in commit 909e5c97885237530d1264cfceb5555870eb9546 and is documented in GitHub security advisory GHSA-8w3f-4r8f-pf53 along with the associated pull request. The current and peak EPSS scores both stand at 0.0107, indicating no material increase in observed exploitation interest since disclosure.

EU & UK References

Vulnerability details

pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no…

more

user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Direct unauthenticated RCE via unsafe code eval (CWE-94) in public-facing pyload web app enables T1190 exploitation and T1059.006 Python interpreter execution on backend.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31220Shared CWE-94
CVE-2024-57609Shared CWE-94
CVE-2026-31231Shared CWE-94
CVE-2025-54550Shared CWE-94
CVE-2026-26216Shared CWE-94
CVE-2026-39891Shared CWE-94
CVE-2026-7466Shared CWE-94
CVE-2026-44334Shared CWE-94
CVE-2026-44887Shared CWE-94
CVE-2026-31225Shared CWE-94

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the CVE by requiring timely patching to version 0.5.0b3.dev89, which includes the fix for unsafe JavaScript evaluation in CAPTCHA processing.

prevent

Information input validation prevents unauthenticated attackers from injecting arbitrary JavaScript code into the CAPTCHA processing that could be unsafely evaluated.

prevent

Mobile code controls restrict and scan JavaScript execution, mitigating arbitrary code execution from unsafe evaluation in pyload's CAPTCHA processing code.

References