CVE-2025-57751 Overview
pyLoad is a free, open-source download manager written in pure Python. The CNL (Click'N'Load) Blueprint accepts a jk parameter from user requests. The application passes this value directly into dykpy.evaljs() without validating its content. An unauthenticated attacker can submit crafted JavaScript that consumes CPU resources, fully saturating the server and rendering the web UI unresponsive. The flaw is tracked as [CWE-400: Uncontrolled Resource Consumption] and is fixed in 0.5.0b3.dev92.
Critical Impact
Remote unauthenticated attackers can trigger CPU exhaustion in pyLoad, producing a denial-of-service condition that disables the web interface.
Affected Products
- pyLoad download manager
- pyLoad CNL (Click'N'Load) Blueprint component
- pyLoad versions prior to 0.5.0b3.dev92
Discovery Timeline
- 2025-08-21 - CVE-2025-57751 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-57751
Vulnerability Analysis
The vulnerability resides in pyLoad's CNL Blueprint, which handles Click'N'Load requests. The endpoint reads the jk parameter directly from user input. The application then passes the raw value to dykpy.evaljs() for JavaScript evaluation. Because no validation, length restriction, or execution timeout is applied, attackers control what code runs inside the evaluator.
An attacker can supply a jk payload containing computationally expensive JavaScript, such as a tight infinite loop or a nested computation. The evaluator processes the payload synchronously, occupying CPU cycles and blocking the web UI thread. Repeated requests amplify the condition and prevent legitimate users from accessing the download manager.
The issue is classified under [CWE-400: Uncontrolled Resource Consumption]. Exploitation requires no authentication, no privileges, and no user interaction. The attack vector is network-based.
Root Cause
The root cause is missing input verification on the jk parameter before invoking dykpy.evaljs(). The CNL protocol expects jk to contain a key-generation function, but pyLoad accepts any JavaScript string. Without a syntactic check, execution timeout, or sandbox boundary, the evaluator becomes a generic JavaScript engine exposed to untrusted input.
Attack Vector
An attacker sends an HTTP request to the pyLoad CNL endpoint with a malicious jk value. The server invokes dykpy.evaljs() on that value, executing attacker-supplied JavaScript synchronously. The CPU is fully consumed and the web UI stops responding. The attacker does not need credentials and does not need to interact with any user. See the GitHub Security Advisory for additional technical context.
Detection Methods for CVE-2025-57751
Indicators of Compromise
- Sustained 100% CPU utilization by the pyLoad process without corresponding download activity
- HTTP requests to CNL Blueprint endpoints containing unusually long or syntactically complex jk parameter values
- Web UI becoming unresponsive or timing out shortly after specific external requests
- Repeated POST requests from the same source to /flash/addcrypted2 or related CNL routes
Detection Strategies
- Inspect web server access logs for requests to CNL endpoints containing jk payloads with loop constructs such as while(1) or large iteration counts
- Monitor for correlation between inbound CNL requests and CPU saturation events on the pyLoad host
- Apply web application firewall rules that flag oversized or JavaScript-heavy jk parameter values
Monitoring Recommendations
- Track process-level CPU usage of the pyLoad daemon and alert on prolonged saturation
- Forward pyLoad access logs to a centralized log platform and create detections for anomalous CNL request patterns
- Monitor web UI availability with synthetic checks to detect denial-of-service conditions quickly
How to Mitigate CVE-2025-57751
Immediate Actions Required
- Upgrade pyLoad to version 0.5.0b3.dev92 or later, which adds verification of the jk parameter
- Restrict network access to the pyLoad web interface so it is not exposed to the public internet
- Place pyLoad behind a reverse proxy or WAF that enforces request size and rate limits on CNL endpoints
Patch Information
The maintainers fixed the issue in pyLoad 0.5.0b3.dev92 by adding validation of the jk parameter before it reaches dykpy.evaljs(). Patch details and commit references are available in the pyLoad GitHub Security Advisory GHSA-9gjj-6gj7-c4wj.
Workarounds
- Disable the CNL Blueprint feature if Click'N'Load functionality is not required
- Bind the pyLoad service to localhost and require VPN or SSH tunnel access for administration
- Apply rate limiting and source IP allow-lists at the network or reverse proxy layer to limit unauthenticated requests to CNL routes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
