FKIE_CVE-2025-54802

Vulnerability from fkie_nvd - Published: 2025-08-05 01:15 - Updated: 2025-10-09 17:32
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.
References
security-advisories@github.comhttps://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4Patch
security-advisories@github.comhttps://github.com/pyload/pyload/pull/4596Exploit, Patch
security-advisories@github.comhttps://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264Exploit, Vendor Advisory
Impacted products
Vendor Product Version
pyload-ng_project pyload-ng 0.5.0b3.dev89
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev89:*:*:*:*:python:*:*",
              "matchCriteriaId": "0DB5128C-2AF7-4255-A80F-9EA9F4FEBA52",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90."
    },
    {
      "lang": "es",
      "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python puro. En las versiones 0.5.0b3.dev89 y anteriores, existe la posibilidad de path traversal en el CNL Blueprint de pyLoad-ng mediante el par\u00e1metro \"paquete\", lo que permite la escritura arbitraria de archivos y la ejecuci\u00f3n remota de c\u00f3digo (RCE). El endpoint addcrypted de pyload-ng presenta una vulnerabilidad de construcci\u00f3n de rutas inseguras, que permite a atacantes no autenticados escribir archivos arbitrarios fuera del directorio de almacenamiento designado. Esto puede utilizarse para sobrescribir archivos cr\u00edticos del sistema, como tareas cron y servicios systemd, lo que provoca la escalada de privilegios y la ejecuci\u00f3n remota de c\u00f3digo como root. Este problema se solucion\u00f3 en la versi\u00f3n 0.5.0b3.dev90."
    }
  ],
  "id": "CVE-2025-54802",
  "lastModified": "2025-10-09T17:32:39.157",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-05T01:15:42.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/pyload/pyload/pull/4596"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.