Platform
python
Component
pyload/pyload
Fixed in
0.5.1
CVE-2024-22416 describes a Privilege Escalation vulnerability within the pyLoad download manager. This flaw allows unauthenticated attackers to execute arbitrary API calls through Cross-Site Request Forgery (CSRF) attacks. The vulnerability affects versions of pyLoad prior to 0.5.0b3.dev78, and a fix is available in the specified version.
The core of this vulnerability lies in the pyLoad API's design and the lack of proper security controls. Because the session cookie is not set with the SameSite: strict attribute, an attacker can craft malicious requests from a different origin to impersonate a legitimate user. This effectively bypasses authentication and authorization mechanisms. An attacker could leverage this to perform actions such as modifying download configurations, accessing sensitive data, or even potentially gaining control over the system running pyLoad, depending on the API's functionality and permissions. The lack of authentication makes this particularly dangerous, as any user with the ability to craft CSRF requests can exploit it.
This vulnerability was publicly disclosed on January 17, 2024. While no active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation via CSRF and the lack of authentication make it a high-priority concern. The vulnerability's simplicity and the widespread use of Python in various environments suggest a potential for exploitation. It is not currently listed on CISA KEV, but its CRITICAL severity warrants close monitoring.
Exploit Status
EPSS
5.90% (91% percentile)
CVSS Vector
The primary mitigation for CVE-2024-22416 is to immediately upgrade pyLoad to version 0.5.0b3.dev78 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules should specifically target API endpoints within pyLoad and validate the Origin header to prevent cross-origin requests. Additionally, carefully review and restrict access to the pyLoad API endpoints to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting a CSRF attack against a pyLoad API endpoint using a tool like Burp Suite and verifying that the request is rejected.
Upgrade pyLoad to version 0.5.0b3.dev78 or higher. This version fixes the CSRF vulnerability by implementing appropriate protection measures. The update can be performed through the Python package manager or by downloading the latest version from the official repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-22416 is a CRITICAL vulnerability in pyLoad download manager allowing unauthenticated attackers to execute arbitrary API calls via CSRF due to a missing SameSite cookie attribute.
You are affected if you are using pyLoad versions 0.5.0b3.dev78 or earlier. Upgrade to the latest version to mitigate the risk.
Upgrade pyLoad to version 0.5.0b3.dev78 or later. As a temporary workaround, implement a WAF with CSRF protection rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the pyLoad project's official channels and GitHub repository for the latest advisory and updates: [https://github.com/pyLoad/pyLoad](https://github.com/pyLoad/pyLoad)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.