CVE-2024-21644: Pyload Information Disclosure Flaw

CVE-2024-21644 Overview

CVE-2024-21644 is an information disclosure vulnerability in pyLoad, the free and open-source Download Manager written in pure Python. Any unauthenticated remote attacker can browse to a specific URL to expose the underlying Flask configuration, including the SECRET_KEY variable. Exposure of SECRET_KEY undermines session integrity and signed-token validation in Flask applications, enabling session forgery and downstream account compromise. The flaw is tracked under CWE-284: Improper Access Control and is fixed in pyLoad version 0.5.0b3.dev77.

Critical Impact
Unauthenticated attackers can retrieve the Flask SECRET_KEY and other configuration data, enabling session forgery against any exposed pyLoad instance.

Affected Products

pyLoad 0.5.0-beta1
pyLoad 0.5.0-beta2
pyLoad versions prior to 0.5.0b3.dev77

Discovery Timeline

2024-01-08 - CVE-2024-21644 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-21644

Vulnerability Analysis

pyLoad exposes an information endpoint in its Flask-based web UI that returns server context to the rendered template. The endpoint serializes runtime data, including the value returned by api.get_userdir(), into a dictionary key originally named config. Flask's Jinja2 template engine treats the identifier config as a reserved object reference that resolves to the application's configuration mapping, which contains SECRET_KEY and other secrets. Because the unauthenticated route renders this template, an attacker reaching the information page receives the entire Flask config in the response body.

Root Cause

The root cause is a naming collision between an application-defined template variable and Flask's built-in config global. By passing a key named config into the template context, pyLoad shadowed and then unintentionally surfaced the framework's configuration object. Combined with the lack of authentication on the information route, this resulted in unauthenticated disclosure of sensitive Flask configuration values [CWE-284].

Attack Vector

An attacker sends an unauthenticated HTTP request to the pyLoad information URL on a reachable instance. The server returns HTML containing the Flask configuration dictionary, including SECRET_KEY. The attacker can then forge signed session cookies and impersonate authenticated users.

python

# Patch from src/pyload/webui/app/blueprints/app_blueprint.py
# Source: https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40
        "os": " ".join((os.name, sys.platform) + extra),
        "version": api.get_server_version(),
        "folder": PKGDIR,
-        "config": api.get_userdir(),
+        "config_folder": api.get_userdir(),
        "download": conf["general"]["storage_folder"]["value"],
        "freespace": format.size(api.free_space()),
        "webif": conf["webui"]["port"]["value"],

The fix renames the colliding template key from config to config_folder, preventing Jinja2 from resolving the reference to the Flask application's configuration object. See the GitHub Security Advisory GHSA-mqpq-2p68-46fv for additional context.

Detection Methods for CVE-2024-21644

Indicators of Compromise

Unauthenticated HTTP GET requests to the pyLoad information page from external IP addresses.
HTTP responses from pyLoad containing the string SECRET_KEY or other Flask configuration keys in the body.
Subsequent authenticated sessions originating from IP addresses that previously requested the information endpoint without logging in.

Detection Strategies

Inspect pyLoad web server access logs for requests to the information route that return large response bodies prior to any successful authentication.
Compare deployed pyLoad versions against 0.5.0b3.dev77 and flag any instance running 0.5.0-beta1, 0.5.0-beta2, or earlier development builds.
Monitor outbound responses for sensitive token patterns using web application firewall content inspection rules.

Monitoring Recommendations

Alert on session cookies that validate successfully but originate from new geolocations or user agents after exposure of an unpatched instance.
Track failed and successful logins for administrative pyLoad accounts and correlate with prior unauthenticated reconnaissance.
Periodically scan internal and exposed asset inventories for the pyLoad service banner and version string.

How to Mitigate CVE-2024-21644

Immediate Actions Required

Upgrade all pyLoad installations to version 0.5.0b3.dev77 or later.
Rotate the Flask SECRET_KEY and invalidate all existing sessions on any instance that was exposed prior to patching.
Reset credentials for pyLoad accounts whose sessions may have been forged.
Restrict network access to the pyLoad web UI to trusted management networks only.

Patch Information

The fix is implemented in commit bb22063a875ffeca357aaf6e2edcd09705688c40 and released in pyLoad 0.5.0b3.dev77. The patch renames the conflicting template variable in src/pyload/webui/app/blueprints/app_blueprint.py from config to config_folder, eliminating the Jinja2 name collision that exposed the Flask configuration object. Full remediation details are published in the GitHub Security Advisory GHSA-mqpq-2p68-46fv.

Workarounds

Place pyLoad behind an authenticating reverse proxy that blocks anonymous access to the information endpoint.
Bind the pyLoad web UI to localhost and tunnel access through SSH or a VPN.
Configure firewall rules to deny inbound traffic to the pyLoad listening port from untrusted networks.

bash

# Verify installed pyLoad version and upgrade to the fixed release
pip show pyload | grep -i version
pip install --upgrade "pyload-ng>=0.5.0b3.dev77"

# Restrict the web UI to localhost in the pyLoad configuration
# Edit ~/.pyload/settings/pyload.cfg
# [webui]
# host = 127.0.0.1