Login Sign Up

CVE-2025-54802

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

This vulnerability in pyLoad allows unauthenticated attackers to perform path traversal via the addcrypted endpoint, leading to arbitrary file write and remote code execution. It affects pyLoad versions 0.5.0b3.dev89 and below, potentially allowing attackers to overwrite critical system files and gain root access.

💻 Affected Systems

Products:
  • pyLoad
Versions: Versions 0.5.0b3.dev89 and below
Operating Systems: All operating systems running pyLoad
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the pyLoad-ng CNL Blueprint component. The vulnerability is present in default configurations.

📦 What is this software?

Pyload Ng by Pyload Ng Project

View all CVEs affecting Pyload Ng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution as root, complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Remote code execution with the privileges of the pyLoad process, potentially leading to system compromise if running with elevated privileges.

🟢

If Mitigated

Limited impact if pyLoad runs in a containerized environment with restricted filesystem access and minimal privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is unauthenticated and involves straightforward path traversal, making exploitation relatively simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.0b3.dev90

Vendor Advisory: https://github.com/pyload/pyload/security/advisories/GHSA-48rp-jc79-2264

Restart Required: Yes

Instructions:

1. Update pyLoad to version 0.5.0b3.dev90 or later. 2. Restart the pyLoad service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to pyLoad to trusted IP addresses only.

iptables -A INPUT -p tcp --dport [pyLoad_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [pyLoad_port] -j DROP

Run as Unprivileged User

linux

Run pyLoad with minimal privileges to limit the impact of exploitation.

sudo -u nobody python -m pyload

🧯 If You Can't Patch

  • Disable the pyLoad service immediately if patching is not possible.
  • Implement strict network segmentation and firewall rules to isolate the vulnerable system.

🔍 How to Verify

Check if Vulnerable:

Check the pyLoad version. If it is 0.5.0b3.dev89 or below, the system is vulnerable.

Check Version:

python -c "import pyload; print(pyload.__version__)"

Verify Fix Applied:

Verify the pyLoad version is 0.5.0b3.dev90 or later and test the addcrypted endpoint with path traversal attempts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write attempts outside the designated storage directory
  • Requests to the addcrypted endpoint with suspicious package parameters

Network Indicators:

  • HTTP POST requests to /addcrypted with unusual payloads

SIEM Query:

source="pyLoad.log" AND "addcrypted" AND ("../" OR "..\")

📊 Metadata

CVE ID: CVE-2025-54802
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.64% exploit probability (70.1th percentile)
Published: August 5, 2025
Last Updated: October 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54802, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)