Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init.
Details
The vulnerability exists in PyLoad's download package functionality (/api/addPackage endpoint), which directly passes user-supplied URLs to the download engine without validating the destination. The affected code in src/pyload/webui/app/blueprints/api_blueprint.py:
@bp.route("/addPackage", methods=["POST"], endpoint="add_package")
@login_required
def add_package():
name = flask.request.form["add_name"]
links = flask.request.form["add_links"].split("\n")
# ... validation omitted ...
api.add_package(name, links, dest)
# No URL validationThe download engine in src/pyload/core/managers/download.py accepts any URL scheme and initiates HTTP requests to arbitrary destinations, including internal network addresses and cloud metadata endpoints.
Proof of Concept
Live Demo Instance: http://143.244.141.81:8000 Credentials: pyload / pyload
- Login into the pyload application
- Navigate to package tab and enter the package name and fill the Link section with the following URL
http://169.254.169.254/metadata/v1.json<img width="1851" height="786" alt="image" src="https://github.com/user-attachments/assets/18e7aedf-7663-4a57-8f3e-5200be2c958e" />
- Now navigate to Files section and download the link.
<img width="1429" height="870" alt="image" src="https://github.com/user-attachments/assets/9b8b9cd6-afb7-461c-b058-a3cc4f26e2e6" />
- It was observed that we are able to Read the Digital Ocean Metadata
<img width="1872" height="837" alt="image" src="https://github.com/user-attachments/assets/d30d2d74-53e9-46f8-8206-894a275ac831" />
The downloaded v1.json file contains sensitive cloud infrastructure data:
- Droplet ID: Unique identifier for the instance
- Network Configuration: Public/private IP addresses, VPC topology
- Authentication Keys: Cloud provider auth tokens
- SSH Keys: Public keys configured in droplet metadata
- Region and Datacenter: Infrastructure location
Impact
Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS Score: 7.7 - 9.1 (High to Critical, depending on cloud deployment)
Affected Systems
- All PyLoad installations (version 0.5.0 and potentially earlier)
- Critical Impact on cloud deployments (AWS EC2, DigitalOcean, Google Cloud, Azure) where metadata contains:
- IAM credentials (AWS)
- SSH private keys (configured in user-data)
- API tokens and secrets
- Database credentials stored in cloud-init
Attack Requirements
- Valid PyLoad user account (any role - ADMIN or USER)
- Network connectivity to PyLoad instance
Security Impact
- Cloud Metadata Theft: Complete exfiltration of instance metadata
- Lateral Movement: Discovery and enumeration of internal network services
- Credential Exposure: Theft of cloud IAM credentials, SSH keys, API tokens
- Infrastructure Mapping: Network topology, IP addressing, service discovery
Remediation
Implement URL validation in the download engine:
- Whitelist allowed URL schemes (http/https only)
- Block requests to private IP ranges (RFC 1918, link-local addresses)
- Block cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.)
- Implement request destination validation before initiating downloads
AnalysisAI
PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.
Technical ContextAI
The vulnerability affects pyload-ng distributed via pip (pkg:pip/pyload-ng), identified as CWE-918 Server-Side Request Forgery. The flaw exists in PyLoad's web API blueprint (src/pyload/webui/app/blueprints/api_blueprint.py) where the add_package function accepts user-supplied URLs and passes them directly to the download engine (src/pyload/core/managers/download.py) without validation of the destination. This allows authenticated users to specify internal network addresses including RFC 1918 private ranges, link-local addresses (169.254.x.x), and cloud metadata endpoints. The download engine initiates HTTP requests to these arbitrary destinations, making the PyLoad server act as a proxy for accessing restricted resources. Cloud metadata services exposed at 169.254.169.254 (AWS, DigitalOcean, Azure) and metadata.google.internal (GCP) contain sensitive instance credentials, configuration data, and authentication tokens that should never be accessible to application users.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed based on commit reference at https://github.com/pyload/pyload/commit/b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8. Organizations should monitor the official PyLoad repository at https://github.com/pyload/pyload for release announcements containing this commit and upgrade immediately when available. Until patching is possible, implement network-layer controls to block PyLoad server egress to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and cloud metadata endpoints using firewall rules or security groups. On cloud platforms, apply IMDSv2 (Instance Metadata Service version 2) where available on AWS to require session tokens that SSRF attacks cannot easily obtain. Restrict PyLoad user account creation and audit existing accounts to minimize insider threat surface. Consider deploying PyLoad in isolated network segments without access to production infrastructure or cloud metadata services.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16886
GHSA-m74m-f7cr-432x