logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-7346 pyload-ng

Package

Manager: pip
Name: pyload-ng
Vulnerable Version: >=0 <=0.5.0b3.dev88

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00166 pctl0.38091

Details

pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages ### Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. ### Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`. ### PoC The application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction. https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36 ```python #: decorator def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0") if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in ( "127.0.0.1:9666", "[::1]:9666", ): return func(*args, **kwargs) else: return "Forbidden", 403 return wrapper ``` Below we see that the '/flash/add' endpoint uses the middleware above. https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11 ```python @bp.route("/flash/add", methods=["POST"], endpoint="add") @local_check def add(): ``` Notice how we are not authorized to access this endpoint when sending a request. ![image](https://user-images.githubusercontent.com/44903767/294935526-64217d91-c0d1-4d8f-963f-cedfa8dc9034.png) However, if we set the `Host` header to be `127.0.0.1:9666`, we notice the request returns `success`. ![image](https://user-images.githubusercontent.com/44903767/294933755-43ad3826-0e94-4ba5-acf0-48f11670cbc6.png) Checking the front end as an admin, we now see that this did indeed succeed. ![image](https://user-images.githubusercontent.com/44903767/294934431-5d024c75-59dc-47b6-8887-b14ae91e320f.png) ### Impact An unauthenticated user can perform actions that should only be available to authenticated users.

Metadata

Created: 2025-07-08T21:36:52Z
Modified: 2025-07-08T23:38:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-x698-5hjm-w2m5/GHSA-x698-5hjm-w2m5.json
CWE IDs: ["CWE-284", "CWE-290"]
Alternative ID: GHSA-x698-5hjm-w2m5
Finding: F032
Auto approve: 1