pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

説明

Summary

pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. This flaw allowed untrusted user input to be processed unsafely, which could be exploited by an attacker to inject arbitrary content into the web UI or manipulate request handling. The vulnerability could lead to client-side code execution (XSS) or other unintended behaviors when a malicious payload is submitted.

user-supplied parameters from HTTP requests were not adequately validated or sanitized before being passed into the application logic and response generation. This allowed crafted input to alter the expected execution flow.
CNL (Click'N'Load) blueprint exposed unsafe handling of untrusted parameters in HTTP requests. The application did not consistently enforce input validation or encoding, making it possible for an attacker to craft malicious requests.

PoC

  1. Run a vulnerable version of pyLoad prior to commit f9d27f2.
  2. Start the web UI and access the Captcha or CNL endpoints.
  3. Submit a crafted request containing malicious JavaScript payloads in unvalidated parameters (/flash/addcrypted2?jk=function(){alert(1)}&crypted=12345).
  4. Observe that the payload is reflected and executed in the client’s browser, demonstrating cross-site scripting (XSS).

Example request:

GET /flash/addcrypted2?jk=function(){alert(1)}&crypted=12345 HTTP/1.1
Host: 127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 107

Refferences

  • https://github.com/pyload/pyload/commit/5823327d0b797161c7195a1f660266d30a69f0ca
  • @4624

Impact

Exploiting this vulnerability allows an attacker to inject and execute arbitrary JavaScript within the browser session of a user accessing the pyLoad Web UI. In practice, this means an attacker could impersonate an administrator, steal authentication cookies or tokens, and perform unauthorized actions on behalf of the victim. Because the affected endpoints are part of the core interface, a successful attack undermines the trust and security of the entire application, potentially leading to a full compromise of the management interface and the data it controls. The impact is particularly severe in cases where the Web UI is exposed over a network without additional access restrictions, as it enables remote attackers to directly target users with crafted links or requests that trigger the vulnerability.

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2025-10-09 15:19:48 UTC
更新
2026-04-24 21:09:38 UTC
GitHub レビュー済み
2025-10-09 15:19:48 UTC
NVD で公開
2025-10-09

EPSS Score

Score Percentile
0.04% 13.46%

CVSS Scores

Base score Version Severity Vector
8.1 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:N)
事前のログインや昇格は不要で、匿名アクセスのまま踏み台にしうる。
ユーザーの関与 (UI:R)
インストールの許可、設定変更、悪意あるファイルの実行など、人の一度の判断がトリガーになる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:H)
権限の奪取や広範なログ改竄など、システムの信頼根拠を揺るがす改ざんが現実的。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。

Identifiers

CWEs

CWE id Name
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-116 Improper Encoding or Escaping of Output

Credits

  • odaysec (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip pyload-ng < 0.5.0b3.dev91 0.5.0b3.dev91

References

cvelogic Threat Intelligence