ghsa-x698-5hjm-w2m5
Vulnerability from github
Published
2025-07-08 21:36
Modified
2025-07-08 23:38
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
Details

Summary

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.

Details

Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the Host header to the value of 127.0.0.1:9666.

PoC

The application has middleware that prevents access to several routes by checking whether the Host header has a specific value. We bypassed this restriction.

https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36 ```python

: decorator

def local_check(func): @wraps(func) def wrapper(args, *kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0")

    if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (
        "127.0.0.1:9666",
        "[::1]:9666",
    ):
        return func(*args, **kwargs)
    else:
        return "Forbidden", 403

return wrapper

```

Below we see that the '/flash/add' endpoint uses the middleware above.

https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11 python @bp.route("/flash/add", methods=["POST"], endpoint="add") @local_check def add():

Notice how we are not authorized to access this endpoint when sending a request. image

However, if we set the Host header to be 127.0.0.1:9666, we notice the request returns success. image

Checking the front end as an admin, we now see that this did indeed succeed. image

Impact

An unauthenticated user can perform actions that should only be available to authenticated users.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0b3.dev88"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T21:36:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nAny unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.\n\n### Details\nAny unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`.\n\n### PoC\nThe application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction.\n\nhttps://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36\n```python\n#: decorator\ndef local_check(func):\n    @wraps(func)\n    def wrapper(*args, **kwargs):\n        remote_addr = flask.request.environ.get(\"REMOTE_ADDR\", \"0\")\n        http_host = flask.request.environ.get(\"HTTP_HOST\", \"0\")\n\n        if remote_addr in (\"127.0.0.1\", \"::ffff:127.0.0.1\", \"::1\", \"localhost\") or http_host in (\n            \"127.0.0.1:9666\",\n            \"[::1]:9666\",\n        ):\n            return func(*args, **kwargs)\n        else:\n            return \"Forbidden\", 403\n\n    return wrapper\n```\n\nBelow we see that the \u0027/flash/add\u0027 endpoint uses the middleware above.\n\nhttps://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11\n```python\n@bp.route(\"/flash/add\", methods=[\"POST\"], endpoint=\"add\")\n@local_check\ndef add():\n```\n\nNotice how we are not authorized to access this endpoint when sending a request.\n![image](https://user-images.githubusercontent.com/44903767/294935526-64217d91-c0d1-4d8f-963f-cedfa8dc9034.png)\n\nHowever, if we set the `Host` header to be `127.0.0.1:9666`, we notice the request returns `success`.\n![image](https://user-images.githubusercontent.com/44903767/294933755-43ad3826-0e94-4ba5-acf0-48f11670cbc6.png)\n\nChecking the front end as an admin, we now see that this did indeed succeed.\n![image](https://user-images.githubusercontent.com/44903767/294934431-5d024c75-59dc-47b6-8887-b14ae91e320f.png)\n\n### Impact\nAn unauthenticated user can perform actions that should only be available to authenticated users.",
  "id": "GHSA-x698-5hjm-w2m5",
  "modified": "2025-07-08T23:38:45Z",
  "published": "2025-07-08T21:36:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.