GHSA-x698-5hjm-w2m5

Опубликовано: 08 июл. 2025

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages

Summary

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.

Details

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the Host header to the value of 127.0.0.1:9666.

PoC

The application has middleware that prevents access to several routes by checking whether the Host header has a specific value. We bypassed this restriction.

https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36

#: decorator def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0") if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in ( "127.0.0.1:9666", "[::1]:9666", ): return func(*args, **kwargs) else: return "Forbidden", 403 return wrapper

Below we see that the '/flash/add' endpoint uses the middleware above.

https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11

@bp.route("/flash/add", methods=["POST"], endpoint="add") @local_check def add():

Notice how we are not authorized to access this endpoint when sending a request.