CVE-2025-54140
Published: 22 July 2025
Summary
CVE-2025-54140 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 18.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
pyLoad, a free and open-source Python download manager, contains an authenticated path traversal vulnerability in version 0.5.0b3.dev89. The flaw resides in the /json/upload endpoint and stems from insufficient validation of uploaded filenames, allowing directory traversal outside the intended upload folder under CWE-22. An attacker who can reach the endpoint can therefore write files to arbitrary locations on the filesystem accessible to the pyLoad process, with a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high integrity impact.
An authenticated user can exploit the issue by supplying a crafted filename containing path traversal sequences during an upload request. Successful exploitation permits writing arbitrary content to any writable location, which can be leveraged for remote code execution, local privilege escalation, system compromise, persistence mechanisms, or installation of backdoors.
The vulnerability is resolved in version 0.5.0b3.dev90. Public references, including the GitHub Security Advisory GHSA-xqpg-92fq-grfg and the associated commit, confirm the patch and provide the code-level details of the fix in the json_blueprint.py handler.
The EPSS score remains flat at 0.0156 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22382
Vulnerability details
pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, an authenticated path traversal vulnerability exists in the /json/upload endpoint of pyLoad. By manipulating the filename of an uploaded file, an attacker can traverse out…
more
of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to: Remote Code Execution (RCE), local privilege escalation, system-wide compromise, persistence, and backdoors. This is fixed in version 0.5.0b3.dev90.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.