CVE-2024-32880 in pyload-nginfo

Summary

by MITRE • 04/26/2024

pyload is an open-source Download Manager written in pure Python. An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code execution. There is no fix available at the time of publication.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/04/2025

The pyload download manager presents a critical remote code execution vulnerability that arises from insufficient input validation and improper access controls within its template handling mechanism. This vulnerability affects authenticated users who can manipulate the download folder configuration and subsequently upload malicious templates to execute arbitrary code on the target system. The flaw exists in the application's template processing pipeline where user-supplied template content is not properly sanitized before being written to the filesystem, creating a path traversal and code execution vector. The vulnerability is particularly concerning because it requires only authentication, making it accessible to any user with valid credentials rather than requiring privileged access or exploitation of additional weaknesses. The attack vector involves a user with legitimate access to the pyload interface manipulating the download directory path and uploading a crafted template file that contains malicious code, which then gets executed when the system processes the template during normal operations.

The technical implementation of this vulnerability stems from CWE-22 Path Traversal and CWE-94 Code Injection weaknesses within the application's template management system. The system fails to validate or sanitize the template file paths and content, allowing an authenticated attacker to specify arbitrary directories for template storage and execute malicious code within the context of the pyload service account. This vulnerability aligns with ATT&CK technique T1059 Command and Scripting Interpreter, as it enables execution of arbitrary commands through template processing, and T1566 Impersonation, since it leverages legitimate user credentials to perform unauthorized actions. The lack of proper input validation means that template filenames and content can include malicious payloads that are executed when the system processes these templates, potentially leading to complete system compromise.

The operational impact of this vulnerability is severe as it allows authenticated attackers to escalate their privileges and gain full control over the pyload server. An attacker with valid user credentials can upload malicious templates that execute commands with the privileges of the pyload service account, which may have access to network resources and file systems. The vulnerability enables attackers to exfiltrate data, install backdoors, modify system configurations, or use the compromised system as a pivot point to attack other networked systems. The absence of a fix at the time of publication means that organizations using pyload remain exposed to this risk, with attackers able to exploit the vulnerability for extended periods without detection. The remote code execution capability allows for persistent access and data manipulation, making this vulnerability particularly dangerous in enterprise environments where pyload might be used for managing downloads across multiple systems.

Organizations should immediately implement compensating controls to mitigate this vulnerability until a proper fix is available. Network segmentation should be implemented to limit access to pyload services to only authorized users and systems, while strict firewall rules should restrict external access to the pyload service ports. Input validation and sanitization should be enhanced to prevent malicious template uploads, including implementing strict file type checking and content validation. Access controls should be reviewed and strengthened to ensure that only authorized personnel have the ability to modify download directories and upload templates. Regular monitoring of template upload activities and filesystem changes should be implemented to detect potential exploitation attempts. Additionally, organizations should consider implementing application whitelisting to prevent execution of unauthorized code and establish incident response procedures specifically addressing template-based code execution vulnerabilities. The lack of a fix at publication time necessitates immediate defensive measures including disabling unnecessary template upload capabilities and implementing comprehensive logging of all user activities within the pyload system.

Responsible

GitHub, Inc.

Reservation

04/19/2024

Disclosure

04/26/2024

Moderation

accepted

CPE

ready

EPSS

0.01354

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!