CVE-2025-57751: 
Python vulnerability analysis and mitigation

CVE-2025-57751 is a denial-of-service vulnerability discovered in pyLoad, a free and open-source Download Manager written in Python. The vulnerability was disclosed on August 21, 2025, and affects versions prior to 0.5.0b3.dev92. The issue stems from insufficient verification of the jk parameter in pyLoad CNL Blueprint, where user input is directly passed to dykpy.evaljs() function (GitHub Advisory).

The vulnerability exists in the /flash/addcrypted2 endpoint of pyLoad's CNL Blueprint. When processing POST requests, the application receives a jk parameter which is passed directly to the eval_js function without proper validation. The eval_js function uses dukpy.evaljs() for Python versions 3.12 and above, allowing arbitrary JavaScript execution. The vulnerability has been assigned a CVSS v4.0 score of 7.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P (NVD).

When exploited, this vulnerability can cause the server CPU to become fully occupied, resulting in the web-ui becoming unresponsive. The attack can lead to system resource exhaustion, causing service interruption and making the application inaccessible to legitimate users (GitHub Advisory).

The vulnerability is fixed in version 0.5.0b3.dev92 of pyLoad. Users are advised to upgrade to this version or later to protect against this vulnerability (GitHub Advisory).