How to fix CVE-2024-21644?

Within 30 days: Identify all affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Python affected by CVE-2024-21644?

Organizations using pyLoad face notable risk from CVE-2024-21644, a improper access control vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments. With an EPSS score of 87%, this vulnerability faces very high likelihood of exploitation.

CVE-2024-21644

HIGH

2024-01-08 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:34 vuln.today

Patch Released

Mar 28, 2026 - 19:34 nvd

Patch available

PoC Detected

Nov 21, 2024 - 08:54 vuln.today

Public exploit code

CVE Published

Jan 08, 2024 - 14:15 nvd

HIGH 7.5

Description

pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.

Analysis

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint. Attackers can extract this key to forge session cookies, impersonate the administrator, and execute arbitrary code through pyLoad's plugin system.

Technical Context

A specific URL path in pyLoad's web interface returns the full Flask application configuration without requiring authentication. The exposed data includes the SECRET_KEY used for signing session cookies. With this key, an attacker can forge a valid session cookie for any user including the administrator. pyLoad's admin interface allows plugin installation and script execution.

Affected Products

['pyLoad < 0.5.0b3.dev77']

Remediation

Update to pyLoad 0.5.0b3.dev77 or later. Regenerate the SECRET_KEY after patching. Never expose pyLoad's web interface to the internet without additional authentication layers. Review installed plugins for unauthorized additions.

Priority Score

144

Low Medium High Critical

KEV: 0

EPSS: +86.5

CVSS: +38

POC: +20

CVE-2024-21644 vulnerability details – vuln.today

Back

CVE-2024-21644

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-21644

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code