pyLoad Denial-of-Service Vulnerability via Unverified 'jk' Parameter in CNL Blueprint

A denial-of-service vulnerability has been identified in pyLoad versions prior to 0.5.0b3.dev92. The issue arises in the CNL Blueprint when the 'jk' parameter is received without proper verification. This lack of validation allows user input to be executed as JavaScript, specifically through the dukpy.evaljs() function. As a result, the server's CPU becomes fully occupied, causing the web interface to become unresponsive.

Impact

Exploitation of this vulnerability leads to excessive CPU usage, causing the application to become unresponsive and temporarily unavailable to users.

Reproduction

To reproduce this vulnerability, send a POST request to the '/flash/addcrypted2' endpoint with the 'jk' parameter containing a JavaScript payload designed to run for an extended period, such as a loop that lasts 30 seconds or more. The 'crypted' parameter must also be included, encoded in base64. This can be done using a tool like curl.