CVE-2025-61773: 
Python vulnerability analysis and mitigation

CVE-2025-61773 affects pyLoad, a free and open-source download manager written in Python, in versions prior to 0.5.0b3.dev91. The vulnerability was discovered in the web interface, specifically in the Captcha script endpoint and Click'N'Load (CNL) Blueprint, where insufficient input validation allowed untrusted user input to be processed unsafely. This security flaw was disclosed on October 9, 2025, and received a CVSS v3.1 base score of 8.1 (High) (GitHub Advisory).

The vulnerability stems from two primary weaknesses in the pyLoad web interface: insufficient input validation in both the Captcha script endpoint and the CNL Blueprint. The application failed to properly validate or sanitize user-supplied parameters from HTTP requests before passing them into the application logic and response generation. This allowed crafted input to alter the expected execution flow. The CNL blueprint exposed unsafe handling of untrusted parameters in HTTP requests, lacking consistent input validation and encoding mechanisms (GitHub Advisory, NVD).

The vulnerability enables attackers to inject and execute arbitrary JavaScript within the browser session of users accessing the pyLoad Web UI. This could lead to administrator impersonation, theft of authentication cookies or tokens, and unauthorized actions performed on behalf of victims. The impact is particularly severe when the Web UI is exposed over a network without additional access restrictions, as it allows remote attackers to directly target users with crafted links or requests (GitHub Advisory).

The vulnerability has been patched in version 0.5.0b3.dev91. The fix includes strengthening input validation in the captcha script and CNL Blueprint, implementing proper sanitization of user-supplied package names using werkzeug.utils.secure_filename, and adding validation of message origins before processing (GitHub Commit, GitHub PR).