Code Injection in pyload/pyload
Description
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated code injection in pyLoad before 0.5.0b3.dev31 allows remote attackers to execute arbitrary Python commands via crafted js2py requests.
Vulnerability
Description CVE-2023-0297 is a code injection vulnerability in pyLoad, an open-source download manager, affecting versions prior to 0.5.0b3.dev31. The root cause lies in the unsafe use of the js2py library, which can be abused to execute arbitrary Python code through specially crafted inputs. [1][2]
Exploitation
The vulnerability requires no authentication, making it remotely exploitable over the network. An attacker can send a malicious request that leverages js2py's functionality to inject Python code. The attack surface is accessible without any special privileges, and the issue can be triggered by any HTTP request directed at the vulnerable endpoint. [1][3]
Impact
Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary Python code on the server running pyLoad. This could lead to full compromise of the application and potentially the underlying system, including data theft, service disruption, or further network attacks. [1][3]
Mitigation
The vulnerability has been fixed in commit 7d73ba7919e594d783b3411d7ddb87885aea782d, and the official fix is included in pyLoad version 0.5.0b3.dev31 and later. Users are strongly advised to update to the latest version as soon as possible. A publicly available proof-of-concept exploit has been published, which further emphasizes the urgency of applying the patch. [1][2][3]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | < 0.5.0b3.dev31 | 0.5.0b3.dev31 |
Affected products
2- pyload/pyload/pyloadv5Range: unspecified
Patches
17d73ba7919e5fix arbitrary python code execution by abusing js2py functionality
1 file changed · +1 −2
src/pyload/core/utils/misc.py+1 −2 modified@@ -1,12 +1,11 @@ # -*- coding: utf-8 -*- import random -import socket import string import js2py -from .check import is_mapping +js2py.disable_pyimport() def random_string(length):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-pf38-5p22-x6h6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-0297ghsaADVISORY
- packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.htmlghsaWEB
- packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.htmlghsaWEB
- github.com/pyload/pyload/commit/7d73ba7919e594d783b3411d7ddb87885aea782dghsaWEB
- huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65ghsaWEB
News mentions
0No linked articles in our index yet.