Login Sign Up

CVE-2024-22416

9.6 CRITICAL
Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in pyLoad allows unauthenticated attackers to make arbitrary API calls via malicious GET requests. It affects all pyLoad instances with the vulnerable API configuration, potentially enabling complete system compromise. The issue stems from missing SameSite cookie protection on session cookies.

💻 Affected Systems

Products:
  • pyLoad
Versions: All versions before 0.5.0b3.dev78
Operating Systems: All platforms running pyLoad
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all pyLoad installations with API enabled (default configuration).

📦 What is this software?

Pyload Ng by Pyload Ng Project

View all CVEs affecting Pyload Ng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover: attackers could execute arbitrary commands, download malicious files, delete/download user data, or reconfigure the system.

🟠

Likely Case

Unauthorized file downloads/uploads, configuration changes, or data exfiltration from the pyLoad instance.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation.

🌐 Internet-Facing: HIGH - Any internet-exposed pyLoad instance is trivially exploitable via CSRF.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit via phishing or malicious internal sites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CSRF exploitation requires user interaction (visiting malicious page) but is trivial to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.0b3.dev78

Vendor Advisory: https://github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fm

Restart Required: Yes

Instructions:

1. Backup pyLoad configuration and data. 2. Stop pyLoad service. 3. Update pyLoad using pip: 'pip install --upgrade pyload-ng'. 4. Verify version: 'pyload --version'. 5. Restart pyLoad service.

🔧 Temporary Workarounds

Disable API Access

all

Temporarily disable pyLoad API to prevent exploitation

Edit pyLoad config (typically ~/.pyload/pyload.conf)
Set 'api.enabled' to 'False'
Restart pyLoad service

Network Restriction

all

Restrict API access to trusted IPs only

Configure firewall to block external access to pyLoad API port (default: 8000)
Use reverse proxy with IP whitelisting

🧯 If You Can't Patch

  • Isolate pyLoad instance behind firewall with strict network access controls
  • Implement web application firewall (WAF) with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check if pyLoad version is below 0.5.0b3.dev78 and API is enabled in configuration

Check Version:

pyload --version

Verify Fix Applied:

Verify pyLoad version is 0.5.0b3.dev78 or higher and test API calls require proper authentication

📡 Detection & Monitoring

Log Indicators:

  • Unusual API calls from unexpected sources
  • GET requests to API endpoints with suspicious parameters
  • Configuration changes via API from unauthenticated sources

Network Indicators:

  • CSRF attack patterns in web traffic
  • API calls originating from web pages rather than direct client connections

SIEM Query:

source="pyload.log" AND ("GET /api/" OR "CSRF" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2024-22416
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352
Published: January 18, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22416, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)