Platform
python
Component
pyload-ng
Fixed in
0.5.1
0.5.0b3.dev90
CVE-2025-54802 describes a critical Remote Code Execution (RCE) vulnerability discovered in pyLoad-ng, a Python-based download manager. This vulnerability allows unauthenticated attackers to write arbitrary files, potentially leading to privilege escalation and complete system compromise. The vulnerability affects versions of pyLoad-ng up to and including 0.5.0b3.dev89, and a fix is available in version 0.5.0b3.dev90.
The vulnerability lies within the addcrypted endpoint, specifically in how it handles the package parameter. Due to insufficient path validation, an attacker can craft a malicious request that allows them to write files outside the intended storage directory. This arbitrary file write capability is exceptionally dangerous. An attacker could overwrite critical system files, such as cron jobs or systemd service configurations, effectively gaining persistent root access to the system. The potential for lateral movement is significant, as a compromised pyLoad-ng instance could be used as a springboard to attack other systems on the network. The blast radius extends to the entire system, as successful exploitation grants the attacker complete control.
As of the publication date (2025-08-04), this vulnerability is not listed on the CISA KEV catalog. The EPSS score is likely to be high due to the RCE nature and the ease of exploitation. Public proof-of-concept (PoC) code is likely to emerge quickly given the straightforward nature of the path traversal vulnerability. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
1.10% (78% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade pyLoad-ng to version 0.5.0b3.dev90 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the addcrypted endpoint using a firewall or access control list (ACL) to limit potential attackers. Monitor system files and directories for unexpected modifications, particularly those related to cron jobs and systemd services. Implement a Web Application Firewall (WAF) with rules to detect and block requests containing malicious path traversal attempts. Review and harden the overall security posture of the system hosting pyLoad-ng, ensuring that other potential attack vectors are addressed. After upgrading, confirm the fix by attempting to access the addcrypted endpoint with a crafted path traversal payload; the request should be rejected.
Update pyLoad to version 0.5.0b3.dev90 or higher. This fixes the path traversal vulnerability that allows remote code execution. You can update through the Python package manager or by downloading the latest version from the official repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54802 is a critical Remote Code Execution vulnerability in pyLoad-ng versions up to 0.5.0b3.dev89, allowing attackers to write arbitrary files and potentially gain root access.
You are affected if you are running pyLoad-ng versions 0.5.0b3.dev89 or earlier. Check your version and upgrade immediately.
Upgrade to pyLoad-ng version 0.5.0b3.dev90 or later to patch the vulnerability. Implement temporary workarounds like restricting access to the /addcrypted endpoint if immediate upgrade is not possible.
While there are no confirmed reports of active exploitation as of the publication date, the ease of exploitation suggests that it is likely to be targeted soon.
Refer to the official pyLoad-ng project website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.