CVE-2026-35592: pyLoad Path Traversal Vulnerability

CVE-2026-35592 Overview

A path traversal vulnerability exists in pyLoad, a free and open-source download manager written in Python. The vulnerability stems from an incomplete fix for a previous security issue, where the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses the incorrect function os.path.commonprefix() for path traversal validation instead of the proper os.path.commonpath() function. This allows attackers to craft malicious tar archives that can write files outside the intended extraction directory.

Critical Impact

Attackers can craft specially designed tar archives that bypass path validation checks, enabling arbitrary file writes outside the extraction directory. This could lead to file overwriting, configuration tampering, or potential code execution through file placement attacks.

Affected Products

• pyLoad versions prior to 0.5.0b3.dev97

Discovery Timeline

• 2026-04-07 - CVE CVE-2026-35592 published to NVD
• 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-35592

Vulnerability Analysis

This vulnerability represents an incomplete fix for a previously identified path traversal issue (CVE-2026-32808). While the correct function os.path.commonpath() was added to the codebase in commit 5f4f0fa to address CVE-2026-32808, the same fix was never applied to the _safe_extractall() function within the tar extraction module.

The core issue lies in the difference between os.path.commonprefix() and os.path.commonpath(). The os.path.commonprefix() function performs character-level string comparison, which can be trivially bypassed with specially crafted filenames. In contrast, os.path.commonpath() performs proper path-level comparison that correctly handles directory boundaries.

This vulnerability requires user interaction, as a victim must download and extract a malicious tar archive through pyLoad. The attack complexity is considered high due to the need for crafting specific archive structures and the requirement for user action.

Root Cause

The root cause is the use of os.path.commonprefix() instead of os.path.commonpath() in the _safe_extractall() function. The os.path.commonprefix() function compares strings character by character without understanding path semantics, making it unsuitable for security-sensitive path validation.

For example, paths like /safe/path and /safe/pathevil/../../../etc/passwd share the common prefix /safe/path, which would pass the commonprefix() check despite the second path escaping the intended directory through directory traversal sequences.

Attack Vector

The attack is network-based and requires user interaction. An attacker must:

1. Create a malicious tar archive containing files with specially crafted path names that bypass the commonprefix() check
2. Trick a user into downloading and extracting the archive through pyLoad
3. When extracted, the malicious files are written outside the intended extraction directory

The vulnerability mechanism exploits the flawed path comparison. When pyLoad's tar extractor validates file paths, the character-level comparison of commonprefix() fails to detect path traversal attempts that use similar-looking prefixes combined with ../ sequences. For detailed technical information, see the GitHub Security Advisory.

Detection Methods for CVE-2026-35592

Indicators of Compromise

• Tar archives containing files with unusual path patterns or ../ sequences in member names
• Files appearing in unexpected locations outside of pyLoad's designated download directories
• Unexpected modifications to configuration files or system files following archive extraction
• Log entries showing extraction operations with suspicious path references

Detection Strategies

• Monitor file system operations during tar extraction for writes outside expected directories
• Implement file integrity monitoring on critical system directories
• Analyze incoming archive files for path traversal patterns in member names
• Review pyLoad logs for extraction operations involving unusual file paths

Monitoring Recommendations

• Enable verbose logging in pyLoad to capture all extraction activities
• Implement real-time file system monitoring with alerts for writes to sensitive directories
• Deploy endpoint detection solutions capable of identifying path traversal exploitation patterns
• Regularly audit extracted files to ensure they remain within expected directory boundaries

How to Mitigate CVE-2026-35592

Immediate Actions Required

• Upgrade pyLoad to version 0.5.0b3.dev97 or later immediately
• Review recently extracted archives for any signs of path traversal exploitation
• Audit file system for unexpected files outside pyLoad extraction directories
• Consider temporarily disabling automatic archive extraction until the patch is applied

Patch Information

The vulnerability is fixed in pyLoad version 0.5.0b3.dev97. The fix replaces the use of os.path.commonprefix() with os.path.commonpath() in the _safe_extractall() function, ensuring proper path-level comparison during tar extraction. For complete details on the fix, refer to the GitHub Security Advisory.

Workarounds

• Disable automatic tar archive extraction in pyLoad until the patch can be applied
• Manually extract downloaded archives using trusted extraction tools with proper path validation
• Implement network-level filtering to scan and block tar archives containing path traversal patterns
• Run pyLoad with minimal file system permissions to limit the impact of potential exploitation

To update pyLoad to the patched version:

# Update pyLoad to the patched version
pip install --upgrade pyload-ng>=0.5.0b3.dev97

# Verify the installed version
pip show pyload-ng | grep Version