pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.
The addcrypted endpoint in the CNL Blueprint module of pyLoad-ng constructs the target file path in an unsafe manner, without proper sanitization of the package parameter. An attacker can submit a specially crafted request containing path traversal sequences (e.g., '../'), which allows writing a file to any location in the file system — outside the intended storage directory. The vulnerability is available without authentication (PR:N, UI:N). By overwriting critical system files, such as cron jobs or systemd services, an attacker can cause privilege escalation and execute arbitrary code as root.
An attacker without any privileges can write arbitrary files to the server's file system, overwrite critical system files, and thus gain full control of the host with root privileges (RCE, privilege escalation).
pyLoad-ng should be immediately updated to version 0.5.0b3.dev90, in which the vulnerability has been fixed. The fix commit is available at: https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4. Until the update is applied, it is recommended to restrict network access to the pyLoad-ng instance exclusively to trusted IP addresses.
pyLoad-ng (Pyload-Ng Project) in versions 0.5.0b3.dev89 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPyload Ng Project Pyload Ng
APPPyload-Ng Project0.5.0b3.dev89
Related vulnerabilities
SSRF w pyLoad-NG – obejście filtra przez przekierowania HTTP
CSRF w pyLoad umożliwia wykonanie dowolnych wywołań API bez uwierzytelnienia
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a f...
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_v...
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMIN_O...