Path Traversal Vulnerability in pyLoad Download Manager Affects Unauthenticated Users
CVE-2025-54802

9.8CRITICAL

Key Information:

Vendor: Pyload
Status: Pyload
Vendor: CVE Published:; 5 August 2025

What is CVE-2025-54802?

A vulnerability in the pyLoad-ng CNL Blueprint enables path traversal due to unsafe path construction in the addcrypted endpoint. This flaw permits unauthorized attackers to write arbitrary files outside intended storage directories. Such exploitation can lead to critical system modifications, like overwriting cron jobs and systemd services, resulting in potential privilege escalation and remote code execution with root privileges. Users are highly encouraged to upgrade to version 0.5.0b3.dev90 or later to mitigate this risk.

Affected Version(s)

pyload >= 0.5.0b3.dev89, < 0.5.0b3.dev90

References

https://github.com/pyload/pyload/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/pyload/pyload/pull/4596

x_refsource_MISC

https://github.com/pyload/pyload/commit/70a44fe02c03bce92...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 5, 2025

Pyload

What is CVE-2025-54802?

Affected Version(s)

References

CVSS V3.1

Timeline