GHSA-X698-5HJM-W2M5

Vulnerability from github – Published: 2025-07-08 21:36 – Updated: 2025-07-08 23:38
VLAI?
Summary
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
Details

Summary

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.

Details

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the Host header to the value of 127.0.0.1:9666.

PoC

The application has middleware that prevents access to several routes by checking whether the Host header has a specific value. We bypassed this restriction.

https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36

#: decorator
def local_check(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
        remote_addr = flask.request.environ.get("REMOTE_ADDR", "0")
        http_host = flask.request.environ.get("HTTP_HOST", "0")

        if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (
            "127.0.0.1:9666",
            "[::1]:9666",
        ):
            return func(*args, **kwargs)
        else:
            return "Forbidden", 403

    return wrapper

Below we see that the '/flash/add' endpoint uses the middleware above.

https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11

@bp.route("/flash/add", methods=["POST"], endpoint="add")
@local_check
def add():

Notice how we are not authorized to access this endpoint when sending a request. image

However, if we set the Host header to be 127.0.0.1:9666, we notice the request returns success. image

Checking the front end as an admin, we now see that this did indeed succeed. image

Impact

An unauthenticated user can perform actions that should only be available to authenticated users.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0b3.dev88"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T21:36:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nAny unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.\n\n### Details\nAny unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`.\n\n### PoC\nThe application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction.\n\nhttps://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36\n```python\n#: decorator\ndef local_check(func):\n    @wraps(func)\n    def wrapper(*args, **kwargs):\n        remote_addr = flask.request.environ.get(\"REMOTE_ADDR\", \"0\")\n        http_host = flask.request.environ.get(\"HTTP_HOST\", \"0\")\n\n        if remote_addr in (\"127.0.0.1\", \"::ffff:127.0.0.1\", \"::1\", \"localhost\") or http_host in (\n            \"127.0.0.1:9666\",\n            \"[::1]:9666\",\n        ):\n            return func(*args, **kwargs)\n        else:\n            return \"Forbidden\", 403\n\n    return wrapper\n```\n\nBelow we see that the \u0027/flash/add\u0027 endpoint uses the middleware above.\n\nhttps://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11\n```python\n@bp.route(\"/flash/add\", methods=[\"POST\"], endpoint=\"add\")\n@local_check\ndef add():\n```\n\nNotice how we are not authorized to access this endpoint when sending a request.\n![image](https://user-images.githubusercontent.com/44903767/294935526-64217d91-c0d1-4d8f-963f-cedfa8dc9034.png)\n\nHowever, if we set the `Host` header to be `127.0.0.1:9666`, we notice the request returns `success`.\n![image](https://user-images.githubusercontent.com/44903767/294933755-43ad3826-0e94-4ba5-acf0-48f11670cbc6.png)\n\nChecking the front end as an admin, we now see that this did indeed succeed.\n![image](https://user-images.githubusercontent.com/44903767/294934431-5d024c75-59dc-47b6-8887-b14ae91e320f.png)\n\n### Impact\nAn unauthenticated user can perform actions that should only be available to authenticated users.",
  "id": "GHSA-x698-5hjm-w2m5",
  "modified": "2025-07-08T23:38:45Z",
  "published": "2025-07-08T21:36:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.