Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
Description
pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. As a result any API call can be made via a CSRF attack by an unauthenticated user. This issue has been addressed in release 0.5.0b3.dev78. All users are advised to upgrade.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyload-ngPyPI | < 0.5.0b3.dev78 | 0.5.0b3.dev78 |
Affected products
1Patches
21374c824271cfix GHSA-pgpj-v85q-h5fm security advisory (2)
1 file changed · +1 −1
src/pyload/webui/app/__init__.py+1 −1 modified@@ -112,7 +112,7 @@ def _configure_session(cls, app): app.config["SESSION_FILE_DIR"] = cache_path app.config["SESSION_TYPE"] = "filesystem" app.config["SESSION_COOKIE_NAME"] = "pyload_session" - app.config["SESSION_COOKIE_SAMESITE"] = "None" + app.config["SESSION_COOKIE_SAMESITE"] = "Strict" app.config["SESSION_COOKIE_SECURE"] = app.config["PYLOAD_API"].get_config_value("webui", "use_ssl") app.config["SESSION_PERMANENT"] = False
c7cdc18ad913fix GHSA-pgpj-v85q-h5fm security advisory
2 files changed · +4 −4
setup.cfg+3 −4 modified@@ -66,13 +66,12 @@ package_dir = = src install_requires = Cheroot~=8.4 - Flask;python_version<"3.8" - Flask~=2.3.0;python_version>="3.8" + Flask Flask-Babel~=1.0 Flask-Caching~=1.9 Flask-Compress~=1.8 - Flask-Session~=0.3;python_version<"3.7" - Flask-Session2~=1.3;python_version>="3.7" + Flask-Session~=0.4.1;python_version<"3.7" + Flask-Session;python_version>="3.7" Flask-Themes2~=1.0 bitmath~=1.3 cryptography>=35.0.0;platform_python_implementation!="PyPy"
src/pyload/webui/app/__init__.py+1 −0 modified@@ -112,6 +112,7 @@ def _configure_session(cls, app): app.config["SESSION_FILE_DIR"] = cache_path app.config["SESSION_TYPE"] = "filesystem" app.config["SESSION_COOKIE_NAME"] = "pyload_session" + app.config["SESSION_COOKIE_SAMESITE"] = "None" app.config["SESSION_COOKIE_SECURE"] = app.config["PYLOAD_API"].get_config_value("webui", "use_ssl") app.config["SESSION_PERMANENT"] = False
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-pgpj-v85q-h5fmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22416ghsaADVISORY
- github.com/pyload/pyload/commit/1374c824271cb7e927740664d06d2e577624ca3eghsax_refsource_MISCWEB
- github.com/pyload/pyload/commit/c7cdc18ad9134a75222974b39e8b427c4af845fcghsax_refsource_MISCWEB
- github.com/pyload/pyload/security/advisories/GHSA-pgpj-v85q-h5fmghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/pyload-ng/PYSEC-2024-17.yamlghsaWEB
News mentions
0No linked articles in our index yet.