CVE-2025-57751: Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs

August 21, 2025 (updated August 22, 2025)

The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive.

References

github.com/advisories/GHSA-9gjj-6gj7-c4wj
github.com/pyload/pyload
github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj
nvd.nist.gov/vuln/detail/CVE-2025-57751

Code Behaviors & Features

Detect and mitigate CVE-2025-57751 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →