CVE-2025-54802 Overview
CVE-2025-54802 is a critical path traversal vulnerability affecting pyLoad-ng, the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, an unsafe path construction flaw in the CNL Blueprint's addcrypted endpoint allows unauthenticated attackers to write arbitrary files outside the designated storage directory via the package parameter.
This vulnerability can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root.
Critical Impact
Unauthenticated attackers can achieve arbitrary file write capabilities, enabling them to overwrite system configuration files and gain remote code execution with root privileges on vulnerable pyLoad-ng installations.
Affected Products
- pyload-ng versions 0.5.0b3.dev89 and below
- pyLoad-ng installations using the CNL Blueprint functionality
- Systems running pyload-ng with network-accessible endpoints
Discovery Timeline
- August 5, 2025 - CVE-2025-54802 published to NVD
- October 9, 2025 - Last updated in NVD database
Technical Details for CVE-2025-54802
Vulnerability Analysis
The vulnerability exists in the addcrypted endpoint within the CNL Blueprint component of pyload-ng. The endpoint processes user-supplied input from the package parameter without adequate path validation before constructing file paths. While the original code attempted to sanitize the input by removing forward slashes, backslashes, and colons, these measures were insufficient to prevent path traversal attacks.
An attacker can craft malicious package parameter values that bypass the basic character filtering, allowing file writes to locations outside the intended storage directory. Since pyload-ng often runs with elevated privileges, successful exploitation enables writing to sensitive system locations such as /etc/cron.d/ or /etc/systemd/system/, facilitating privilege escalation to root.
Root Cause
The root cause is improper input validation and insufficient path canonicalization in the file path construction logic. The vulnerable code concatenates user-controlled input directly into a file path without verifying that the resulting path remains within the designated storage directory boundaries. The absence of path normalization and directory containment checks allows attackers to escape the intended directory structure using path traversal sequences.
Attack Vector
The attack leverages the network-accessible addcrypted endpoint which does not require authentication. An attacker sends a crafted HTTP request with a malicious package parameter containing path traversal sequences. Despite the basic character filtering (removing /, \, and :), certain encoding techniques or edge cases can bypass these restrictions, allowing the attacker to specify an arbitrary file location for writing the crypted form data content.
The attack flow involves:
- Identifying a pyload-ng instance with the vulnerable CNL endpoint exposed
- Crafting a malicious request with path traversal payload in the package parameter
- Writing malicious content to system files (cron jobs, systemd services, SSH keys)
- Achieving privilege escalation or persistent access via the written payload
The following patch demonstrates the fix implemented in version 0.5.0b3.dev90:
"package", flask.request.form.get("source", flask.request.form.get("referer"))
)
dl_path = api.get_config_value("general", "storage_folder")
- dlc_path = os.path.join(
- dl_path, package.replace("/", "").replace("\\", "").replace(":", "") + ".dlc"
- )
+ dlc_filename = package.replace("/", "").replace("\\", "").replace(":", "") + ".dlc"
+ dlc_path = os.path.join(dl_path, dlc_filename)
+ dlc_path = os.path.normpath(dlc_path)
+ # Ensure dlc_path is within dl_path
+ if not os.path.abspath(dlc_path).startswith(os.path.abspath(dl_path) + os.sep):
+ return "failed: invalid package name\r\n", 400
dlc = flask.request.form["crypted"].replace(" ", "+")
with open(dlc_path, mode="wb") as fp:
fp.write(dlc)
Source: GitHub Commit
The fix adds proper path normalization using os.path.normpath() and implements a directory containment check to ensure the resolved path remains within the designated storage folder.
Detection Methods for CVE-2025-54802
Indicators of Compromise
- Unexpected files appearing in system directories such as /etc/cron.d/, /etc/systemd/system/, or ~/.ssh/
- Modified cron jobs or systemd service files not matching known configurations
- Web server logs showing requests to /addcrypted endpoint with suspicious package parameter values
- New or modified .dlc files in unexpected filesystem locations outside the pyload storage directory
Detection Strategies
- Monitor HTTP requests to the /addcrypted endpoint for path traversal sequences such as .., encoded characters (%2e%2e), or null bytes in the package parameter
- Implement file integrity monitoring (FIM) on critical system directories including /etc/cron.d/, /etc/cron.daily/, /etc/systemd/system/, and similar privilege-escalation targets
- Configure web application firewalls (WAF) to detect and block path traversal patterns in POST request parameters
- Review pyload-ng access logs for unauthenticated requests to the CNL Blueprint endpoints
Monitoring Recommendations
- Enable detailed logging for all pyload-ng HTTP endpoints and monitor for anomalous request patterns
- Deploy endpoint detection and response (EDR) solutions to detect unexpected file creation in system directories by the pyload process
- Implement network segmentation to limit exposure of pyload-ng management interfaces to trusted networks only
- Configure alerting on file creation events outside the configured pyload storage directory by the pyload process
How to Mitigate CVE-2025-54802
Immediate Actions Required
- Upgrade pyload-ng immediately to version 0.5.0b3.dev90 or later which contains the security fix
- Restrict network access to pyload-ng instances by implementing firewall rules or network segmentation
- Audit system files in common privilege escalation targets (/etc/cron.d/, /etc/systemd/system/) for unauthorized modifications
- Review pyload-ng logs for evidence of exploitation attempts against the addcrypted endpoint
Patch Information
The vulnerability has been addressed in pyload-ng version 0.5.0b3.dev90. The fix is available via the GitHub commit 70a44fe and was merged through Pull Request #4596. Administrators should upgrade to the patched version immediately. For detailed information, refer to the GitHub Security Advisory GHSA-48rp-jc79-2264.
Workarounds
- Disable the CNL Blueprint functionality if not required by commenting out or removing the relevant route registration
- Place pyload-ng behind an authenticating reverse proxy to prevent unauthenticated access to all endpoints
- Run pyload-ng with minimal filesystem permissions using a dedicated low-privilege user account
- Deploy network-level controls to restrict access to pyload-ng only from trusted IP addresses or internal networks
# Configuration example: Restrict pyload-ng access via iptables
# Allow access only from trusted network (adjust IP range as needed)
iptables -A INPUT -p tcp --dport 8000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
# Run pyload-ng as non-root user with restricted permissions
useradd -r -s /bin/false pyload
chown -R pyload:pyload /var/lib/pyload
chmod 750 /var/lib/pyload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
