CVE-2025-7346
HIGH7.5EPSS 0.74%pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
Description
### Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. ### Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`. ### PoC The application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction. https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36 ```python #: decorator def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0") if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in ( "127.0.0.1:9666", "[::1]:9666", ): return func(*args, **kwargs) else: return "Forbidden", 403 return wrapper ``` Below we see that the '/flash/add' endpoint uses the middleware above. https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11 ```python @bp.route("/flash/add", methods=["POST"], endpoint="add") @local_check def add(): ``` Notice how we are not authorized to access this endpoint when sending a request.  However, if we set the `Host` header to be `127.0.0.1:9666`, we notice the request returns `success`.  Checking the front end as an admin, we now see that this did indeed succeed.  ### Impact An unauthenticated user can perform actions that should only be available to authenticated users.
Affected packages (1)
- PyPI/pyload-ngfrom 0, <= 0.5.0b3.dev88
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (5)
- PATCHhttps://github.com/pyload/pyload
- WEBhttps://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36
- WEBhttps://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11
- WEBhttps://github.com/pyload/pyload/commit/f4e2d12416ba2dfac7b036d5c8d6dab5461b9840
- WEBhttps://github.com/pyload/pyload/security/advisories/GHSA-x698-5hjm-w2m5