CVE-2025-54802
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-10-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyload-ng_project | pyload-ng | 0.5.0b3.dev89 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to write arbitrary files anywhere on the system outside the intended storage directory. By exploiting this, attackers can overwrite critical system files like cron jobs or systemd service files, which can lead to privilege escalation and remote code execution with root privileges. This means an attacker can fully compromise the affected system, execute arbitrary commands, and gain complete control over it. [3]
Can you explain this vulnerability to me?
CVE-2025-54802 is a critical path traversal vulnerability in the pyLoad-ng download manager. It occurs in the addcrypted endpoint where a file path is constructed unsafely by concatenating a base directory with a user-supplied package name. The package name is only partially sanitized by removing certain characters, which is insufficient to prevent path traversal. This allows an unauthenticated attacker to write arbitrary files outside the intended storage directory by manipulating the package parameter. The vulnerability can be exploited to overwrite critical system files such as cron jobs or systemd services, leading to privilege escalation and remote code execution as root. The issue was fixed by normalizing and validating the constructed file path to ensure it remains within the designated directory. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /addcrypted endpoint containing unusual or path traversal patterns in the 'package' parameter, such as sequences like '../../../../'. You can use network monitoring tools or web server logs to identify such requests. For example, using grep on web server logs: grep -E 'POST /addcrypted' /var/log/nginx/access.log | grep -E 'package=.*\.\.\/\.\.\/' to find attempts with path traversal. Additionally, inspecting files created outside the expected download directory, especially in system directories like /etc/cron.d or systemd service folders, may indicate exploitation attempts. Commands like find /etc/cron.d -type f -mtime -7 to find recently modified cron files can help detect unauthorized file writes. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading pyLoad-ng to version 0.5.0b3.dev90 or later, where the vulnerability is fixed by proper path normalization and validation. If upgrading is not immediately possible, restrict access to the /addcrypted endpoint to trusted users or networks, implement web application firewall (WAF) rules to block requests with suspicious 'package' parameters containing path traversal patterns, and monitor logs for exploitation attempts. Additionally, review and harden file system permissions to limit the impact of any unauthorized file writes. [1, 2, 3]