CVE-2025-55156 Overview
pyLoad is a free, open-source download manager written in Python. CVE-2025-55156 is a SQL injection vulnerability [CWE-89] in the add_links parameter of the /json/add_package API endpoint. Attackers can submit crafted input that breaks out of the intended SQL context and manipulates database queries. Successful exploitation lets attackers modify or delete records, leading to data corruption or loss. The flaw affects all releases prior to version 0.5.0b3.dev91 and has been fixed in that release.
Critical Impact
Unauthenticated network attackers can inject SQL statements through the add_links parameter, allowing unauthorized modification and deletion of database content in pyLoad instances.
Affected Products
- pyLoad Download Manager versions prior to 0.5.0b3.dev91
- Component: src/pyload/core/database/file_database.py
- API endpoint: /json/add_package
Discovery Timeline
- 2025-08-11 - CVE-2025-55156 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-55156
Vulnerability Analysis
The vulnerability resides in the file database layer of pyLoad. The add_links parameter passed through the /json/add_package API is concatenated directly into a SQL statement using Python string formatting. Because the user-controlled URL values are interpolated without parameter binding, attackers can inject arbitrary SQL syntax. The affected code path executes a SELECT id FROM links WHERE url IN (...) query against the pyLoad SQLite database. The result is unauthorized read, modification, or destruction of stored package and link records.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The original implementation built the IN clause by joining user-supplied URL strings with ',' and substituting them via an f-string. Single quotes or SQL metacharacters inside the URL values close the literal and append attacker-controlled SQL.
Attack Vector
An unauthenticated remote attacker sends a crafted POST request to the /json/add_package endpoint with a malicious add_links payload. The injected fragment is processed by the file_database.py query builder and executed against the backing database. No user interaction is required.
# Patch diff from src/pyload/core/database/file_database.py
"UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
data,
)
- ids = []
- statuses = "','".join(x[3] for x in data)
- self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')")
- for r in self.c:
- ids.append(int(r[0]))
+ urls = [x[3] for x in data]
+ placeholders = ','.join('?' * len(urls)) # Create a parameterized query with the correct number of placeholders
+ self.c.execute(f"SELECT id FROM links WHERE url IN ({placeholders})", urls)
+
+ ids = [int(row[0]) for row in self.c.fetchall()]
return ids
Source: GitHub Commit 134edcd. The fix replaces string interpolation with parameterized placeholders, ensuring user-supplied URLs are bound as values rather than parsed as SQL.
Detection Methods for CVE-2025-55156
Indicators of Compromise
- POST requests to /json/add_package containing single quotes, SQL keywords such as UNION, SELECT, DROP, or comment sequences (--, /*) within the add_links parameter.
- Unexpected modifications or deletions in the pyLoad links and packages database tables.
- Application errors from the SQLite engine logged by pyLoad when malformed injection attempts fail to parse.
Detection Strategies
- Inspect web access logs for /json/add_package requests carrying URL-encoded SQL metacharacters in add_links.
- Compare current pyLoad binaries and Python source against version 0.5.0b3.dev91 to confirm the patched query builder is present.
- Enable SQL statement logging in the pyLoad database backend and alert on queries to the links table that contain anomalous syntax.
Monitoring Recommendations
- Forward pyLoad application and HTTP logs to a centralized logging or SIEM platform for retention and correlation.
- Track outbound database write volume and row deletions to detect bulk tampering caused by injected statements.
- Alert on repeated 4xx or 5xx responses from /json/add_package, which can indicate injection probing.
How to Mitigate CVE-2025-55156
Immediate Actions Required
- Upgrade pyLoad to version 0.5.0b3.dev91 or later on every host running the download manager.
- Restrict network exposure of the pyLoad web interface to trusted management networks or place it behind an authenticated reverse proxy.
- Audit the pyLoad database for unexpected changes to the links and packages tables and restore from backup if tampering is found.
Patch Information
The fix is committed in pyload commit 134edcd and shipped in version 0.5.0b3.dev91. Details are published in the GitHub Security Advisory GHSA-pwh4-6r3m-j2rf. The patch converts the dynamic IN (...) clause into a parameterized query.
Workarounds
- Block external access to the /json/add_package endpoint at the network or reverse-proxy layer until the upgrade is applied.
- Run pyLoad under a low-privilege user account with restricted file system access to limit the impact of any database corruption.
- Take regular backups of the pyLoad database to enable recovery from malicious modifications.
# Upgrade pyLoad to the patched release
pip install --upgrade "pyload-ng>=0.5.0b3.dev91"
# Verify the installed version
pyload --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
