Cyber Resilience

CVE-2025-54802

CriticalPublic PoC

Published: 05 August 2025

Published
05 August 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0289 86.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54802 is a critical-severity Path Traversal (CWE-22) vulnerability in Pyload-Ng Project Pyload-Ng. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

pyLoad is a free and open-source download manager written in pure Python. Versions 0.5.0b3.dev89 and earlier contain a path traversal vulnerability in the pyLoad-ng CNL Blueprint, specifically in the addcrypted endpoint, where the package parameter allows unsafe path construction. This permits arbitrary file writes outside the intended storage directory and is tracked as CWE-22 with a CVSS 3.1 score of 9.8.

Unauthenticated remote attackers can exploit the flaw over the network to overwrite arbitrary files on the host, including cron jobs and systemd service definitions. Successful abuse enables privilege escalation and remote code execution as root.

The vulnerability is resolved in version 0.5.0b3.dev90, as documented in the project’s GitHub security advisory GHSA-48rp-jc79-2264 along with the associated commit and pull request. The EPSS score remains flat at 0.0289 with no material increase after disclosure.

EU & UK References

Vulnerability details

pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code…

more

Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1053.003 Cron Execution
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
T1543.002 Systemd Service Persistence
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.
Why these techniques?

Path traversal enables unauthenticated remote exploitation of public-facing pyLoad (T1190); arbitrary writes directly facilitate overwriting cron jobs (T1053.003) and systemd services (T1543.002) for RCE and privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42315Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-35463Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-29778Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-35187Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-42313Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-35459Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-32808Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-33511Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-33509Same product: Pyload-Ng Project Pyload-Ng
CVE-2026-25539Shared CWE-22

Affected Assets

pyload-ng project
pyload-ng
0.5.0b3.dev89

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal exploits by validating the package parameter in the addcrypted endpoint against expected formats to block arbitrary file paths.

prevent

Remediates the unsafe path construction vulnerability by identifying and patching the flaw as fixed in pyLoad version 0.5.0b3.dev90.

prevent

Limits impact of arbitrary file writes by enforcing least privilege, preventing overwrites of root-owned critical files like cron jobs and systemd services.

References