CVE-2024-39205
Published: 28 October 2024
Summary
CVE-2024-39205 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-39205 is a remote code execution vulnerability affecting pyload-ng version 0.5.0b3.dev85 when running under Python 3.11 or earlier. The flaw permits arbitrary code execution through a specially crafted HTTP request and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated attacker can send a malicious HTTP request to the affected pyload-ng instance and obtain arbitrary code execution on the underlying host, resulting in full confidentiality, integrity, and availability impact.
Public references include a proof-of-concept repository, the upstream pyload project, and the GitHub Security Advisory GHSA-r9pp-r4xf-597r that documents the issue. The associated EPSS score stands at 0.8392 with an identical recorded peak, indicating sustained high exploitation probability since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2864
Vulnerability details
An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.