CVE-2025-54802
Published: 05 August 2025
Summary
CVE-2025-54802 is a critical-severity Path Traversal (CWE-22) vulnerability in Pyload-Ng Project Pyload-Ng. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
pyLoad is a free and open-source download manager written in pure Python. Versions 0.5.0b3.dev89 and earlier contain a path traversal vulnerability in the pyLoad-ng CNL Blueprint, specifically in the addcrypted endpoint, where the package parameter allows unsafe path construction. This permits arbitrary file writes outside the intended storage directory and is tracked as CWE-22 with a CVSS 3.1 score of 9.8.
Unauthenticated remote attackers can exploit the flaw over the network to overwrite arbitrary files on the host, including cron jobs and systemd service definitions. Successful abuse enables privilege escalation and remote code execution as root.
The vulnerability is resolved in version 0.5.0b3.dev90, as documented in the project’s GitHub security advisory GHSA-48rp-jc79-2264 along with the associated commit and pull request. The EPSS score remains flat at 0.0289 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23574
Vulnerability details
pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code…
more
Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables unauthenticated remote exploitation of public-facing pyLoad (T1190); arbitrary writes directly facilitate overwriting cron jobs (T1053.003) and systemd services (T1543.002) for RCE and privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal exploits by validating the package parameter in the addcrypted endpoint against expected formats to block arbitrary file paths.
Remediates the unsafe path construction vulnerability by identifying and patching the flaw as fixed in pyLoad version 0.5.0b3.dev90.
Limits impact of arbitrary file writes by enforcing least privilege, preventing overwrites of root-owned critical files like cron jobs and systemd services.