CVE-2025-54802

pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4	Patch
https://github.com/pyload/pyload/pull/4596	Exploit Patch
https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264	Exploit Vendor Advisory
https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev89:*:*:*:*:python:*:*

History

No history.

Information

Published : 2025-08-05 01:15

Updated : 2025-10-09 17:32

NVD link : CVE-2025-54802

Mitre link : CVE-2025-54802

CVE.ORG link : CVE-2025-54802

JSON object : View

Products Affected

pyload-ng_project

pyload-ng

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-54802", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-08-05T01:15:42.240", "references": [{"url": "https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/pyload/pyload/pull/4596", "tags": ["Exploit", "Patch"], "source": "[email protected]"}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90."}, {"lang": "es", "value": "pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python puro. En las versiones 0.5.0b3.dev89 y anteriores, existe la posibilidad de path traversal en el CNL Blueprint de pyLoad-ng mediante el par\u00e1metro \"paquete\", lo que permite la escritura arbitraria de archivos y la ejecuci\u00f3n remota de c\u00f3digo (RCE). El endpoint addcrypted de pyload-ng presenta una vulnerabilidad de construcci\u00f3n de rutas inseguras, que permite a atacantes no autenticados escribir archivos arbitrarios fuera del directorio de almacenamiento designado. Esto puede utilizarse para sobrescribir archivos cr\u00edticos del sistema, como tareas cron y servicios systemd, lo que provoca la escalada de privilegios y la ejecuci\u00f3n remota de c\u00f3digo como root. Este problema se solucion\u00f3 en la versi\u00f3n 0.5.0b3.dev90."}], "lastModified": "2025-10-09T17:32:39.157", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pyload-ng_project:pyload-ng:0.5.0b3.dev89:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "0DB5128C-2AF7-4255-A80F-9EA9F4FEBA52"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}