CVE-2025-55156 Overview
CVE-2025-55156 is a SQL Injection vulnerability [CWE-89] in pyLoad, the free and open-source download manager written in pure Python. The flaw affects the add_links parameter in the /json/add_package API endpoint. Attackers can inject arbitrary SQL through this parameter to modify or delete data in the underlying database. The issue exists in versions prior to 0.5.0b3.dev91 and has been patched in that release.
Critical Impact
Unauthenticated network-based attackers can manipulate or destroy data in the pyLoad database by injecting SQL through the add_links parameter, causing integrity loss and operational disruption.
Affected Products
- pyLoad Download Manager versions prior to 0.5.0b3.dev91
- The /json/add_package API endpoint accepting the add_links parameter
- The file_database.py component handling link insertion
Discovery Timeline
- 2025-08-11 - CVE CVE-2025-55156 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-55156
Vulnerability Analysis
The vulnerability resides in pyLoad's file database handler, specifically in code that constructs an SQL query using string interpolation with attacker-controllable URL values. The add_links parameter, submitted via the /json/add_package API, flows into a SELECT id FROM links WHERE url IN (...) query without parameterization. An attacker who controls the URL strings can break out of the quoted context and append arbitrary SQL clauses. Because the injection occurs in a write-adjacent query path, attackers can pivot to modify or delete rows in the pyLoad database.
Root Cause
The root cause is unsafe SQL query construction in src/pyload/core/database/file_database.py. The vulnerable code joins user-supplied URL values with ',' separators and embeds the joined string directly into an f-string SQL statement. This pattern bypasses the parameter binding facilities of the underlying SQLite driver and exposes the query to injection [CWE-89].
Attack Vector
Exploitation requires network access to the pyLoad web interface and the ability to invoke the /json/add_package API. The attacker submits crafted URL entries within the add_links parameter containing SQL metacharacters such as single quotes and statement terminators. The injected payload is concatenated into the dynamic SQL string and executed by the database engine, allowing data tampering or deletion.
# Patch from pyload commit 134edcdf6e2a10c393743c254da3d9d90b74258f
"UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
data,
)
- ids = []
- statuses = "','".join(x[3] for x in data)
- self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')")
- for r in self.c:
- ids.append(int(r[0]))
+ urls = [x[3] for x in data]
+ placeholders = ','.join('?' * len(urls)) # Create a parameterized query with the correct number of placeholders
+ self.c.execute(f"SELECT id FROM links WHERE url IN ({placeholders})", urls)
+
+ ids = [int(row[0]) for row in self.c.fetchall()]
return ids
Source: GitHub Commit 134edcdf. The patch replaces the f-string concatenation with parameterized placeholders, eliminating the injection sink.
Detection Methods for CVE-2025-55156
Indicators of Compromise
- HTTP POST requests to /json/add_package containing SQL metacharacters such as single quotes, --, ;, UNION, UPDATE, or DELETE inside the add_links parameter.
- Unexpected modifications or deletions in the pyLoad links table, or rows with anomalous status or name values not produced by normal download workflows.
- pyLoad application logs showing SQLite errors, syntax errors, or unexpected query failures correlated with API access from external sources.
Detection Strategies
- Inspect web server and reverse proxy logs for requests to /json/add_package with URL-encoded SQL syntax in the body.
- Compare the installed pyLoad version against the patched release 0.5.0b3.dev91 to identify exposed installations.
- Hash or review src/pyload/core/database/file_database.py to confirm the patched parameterized query is present.
Monitoring Recommendations
- Place pyLoad behind a web application firewall with SQL injection signatures tuned for the add_links parameter.
- Alert on outbound API authentication anomalies or repeated 500-class responses from pyLoad endpoints.
- Track database file size and table row counts to detect mass deletion or tampering.
How to Mitigate CVE-2025-55156
Immediate Actions Required
- Upgrade pyLoad to version 0.5.0b3.dev91 or later, which contains the parameterized query fix.
- Restrict network exposure of the pyLoad web interface to trusted management networks or VPN access only.
- Enforce authentication on the pyLoad API and rotate any credentials that may have been exposed.
Patch Information
The fix is delivered in pyLoad commit 134edcdf6e2a10c393743c254da3d9d90b74258f, included in version 0.5.0b3.dev91. Refer to the GitHub Security Advisory GHSA-pwh4-6r3m-j2rf for the upstream advisory and the patched file_database.py for code-level reference.
Workarounds
- Block access to /json/add_package at a reverse proxy until the upgrade is applied.
- Apply WAF rules that reject add_links payloads containing SQL syntax such as single quotes, --, or ;.
- Back up the pyLoad database before upgrading so tampered data can be restored if compromise is suspected.
# Upgrade pyLoad to the patched release
pip install --upgrade 'pyload-ng>=0.5.0b3.dev91'
# Verify installed version
python -c "import pyload; print(pyload.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
