Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.0b3.dev90
CVE-2025-54140 describes an authenticated path traversal vulnerability within the /json/upload endpoint of pyLoad-ng. By manipulating the filename during file uploads, an attacker can bypass intended directory restrictions and write arbitrary files to locations accessible by the pyLoad process. This vulnerability poses a significant risk, potentially enabling remote code execution, local privilege escalation, and ultimately, complete system compromise. The vulnerability affects versions of pyLoad-ng up to and including 0.5.0b3.dev89, with a fix available in version 0.5.0b3.dev90.
The impact of CVE-2025-54140 is severe due to the potential for arbitrary file writes. An attacker who successfully exploits this vulnerability can overwrite critical system files, inject malicious code, or establish persistent backdoors. This could lead to complete system compromise, allowing the attacker to gain full control over the affected server. The ability to write arbitrary files also opens the door to privilege escalation, as an attacker could potentially overwrite binaries to gain higher-level access. The vulnerability's reliance on authentication limits the immediate attack surface, but once authenticated, the impact is substantial. This resembles other path traversal vulnerabilities where attackers leverage predictable file system structures to gain unauthorized access.
CVE-2025-54140 was publicly disclosed on 2025-07-21. Its severity is rated HIGH (7.5 CVSS). Currently, there are no known active campaigns targeting this vulnerability, and no public proof-of-concept exploits have been released. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's reliance on authentication may limit its immediate exploitability, but the potential for RCE makes it a high-priority concern.
Exploit Status
EPSS
0.40% (61% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54140 is to immediately upgrade pyLoad-ng to version 0.5.0b3.dev90 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file upload permissions to the pyLoad user account to minimize the potential impact of a successful exploit. Implement strict filename validation on the /json/upload endpoint, rejecting any filenames containing directory traversal characters (e.g., ..). Consider using a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious filenames. Monitor pyLoad logs for unusual file creation or modification activity. After upgrading, confirm the fix by attempting a file upload with a filename containing directory traversal characters; the upload should be rejected.
Actualice pyLoad a la versión 0.5.0b3.dev90 o superior. Esta versión corrige la vulnerabilidad de path traversal en el endpoint /json/upload. La actualización evitará la escritura arbitraria de archivos en el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54140 is a path traversal vulnerability in pyLoad-ng versions up to 0.5.0b3.dev89, allowing attackers to write arbitrary files and potentially gain remote code execution.
You are affected if you are running pyLoad-ng versions 0.5.0b3.dev89 or earlier. Upgrade to 0.5.0b3.dev90 to mitigate the risk.
Upgrade pyLoad-ng to version 0.5.0b3.dev90 or later. Implement temporary workarounds like filename validation and WAF rules if immediate upgrade is not possible.
As of 2025-07-21, there are no confirmed reports of active exploitation, but the potential for RCE warrants immediate attention.
Refer to the official pyLoad GitHub repository for updates and advisories related to CVE-2025-54140: [https://github.com/pyload/p](https://github.com/pyload/p)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.