From e709f611daa9de27a85f1273669c3cf75354a7bd Mon Sep 17 00:00:00 2001
From: Zeroday BYTE <github@zerodaysec.org>
Date: Tue, 15 Jul 2025 04:17:19 -0700
Subject: [PATCH] [GHSA-8w3f-4r8f-pf53] Remote code execution through js2py
 onCaptchaResult

---
 .../GHSA-8w3f-4r8f-pf53.json                  | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 advisories/github-reviewed/2025/07/GHSA-8w3f-4r8f-pf53/GHSA-8w3f-4r8f-pf53.json

diff --git a/advisories/github-reviewed/2025/07/GHSA-8w3f-4r8f-pf53/GHSA-8w3f-4r8f-pf53.json b/advisories/github-reviewed/2025/07/GHSA-8w3f-4r8f-pf53/GHSA-8w3f-4r8f-pf53.json
new file mode 100644
index 0000000000000..de78971c56a6c
--- /dev/null
+++ b/advisories/github-reviewed/2025/07/GHSA-8w3f-4r8f-pf53/GHSA-8w3f-4r8f-pf53.json
@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8w3f-4r8f-pf53",
+  "modified": "2025-07-11T13:55:00Z",
+  "published": "2025-07-03T14:00:00Z",
+  "aliases": [
+    "CVE-2025-53890"
+  ],
+  "summary": "Remote Code Execution via unsafe eval() in pyLoad CAPTCHA handler",
+  "details": "An unsafe JavaScript evaluation vulnerability exists in pyLoad’s CAPTCHA processing code, specifically in the `onCaptchaResult()` function located in `captcha-interactive.user.js`. This function directly calls `eval(result)` on user-supplied input without any sanitization, allowing attackers to inject and execute arbitrary JavaScript. If executed in environments that support NodeJS or where server-client contexts are bridged (such as with js2py or unsafe browser logic), this vulnerability can escalate to full remote code execution.\n\nThe vulnerable endpoint `/interactive/captcha` processes POST requests containing the malicious `response` parameter, which is directly injected into an `eval()` call on the client side.\n\nBecause the attack requires no authentication or user interaction, it may be exploited by remote unauthenticated attackers to achieve session hijacking, sensitive data exfiltration, and in certain contexts, server-side command execution. The issue affects official releases prior to commit `909e5c97885237530d1264cfceb5555870eb9546`.\n\nThis vulnerability was discovered and reported by Andri (odaysec).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "pyload"
+      },
+      "ranges": [
+        {
+          "type": "GIT",
+          "repo": "https://github.com/pyload/pyload",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "909e5c97885237530d1264cfceb5555870eb9546"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "0.4.20"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-8w3f-4r8f-pf53"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/pyload/pyload/commit/909e5c97885237530d1264cfceb5555870eb9546"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pyload/pyload/pull/4586"
+    },
+    {
+      "type": "WEB",
+      "url": "https://cheatsheetseries.owasp.org/cheatsheets/JavaScript_Security_Cheat_Sheet.html#eval"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53890"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-07-03T14:00:00Z",
+    "nvd_published_at": "2025-07-03T16:45:00Z"
+  }
+}