CVE-2025-7346

Description

### Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. ### Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`. ### PoC The application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction. https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36 ```python #: decorator def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0") if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or http_host in ( "127.0.0.1:9666", "[::1]:9666", ): return func(*args, **kwargs) else: return "Forbidden", 403 return wrapper ``` Below we see that the '/flash/add' endpoint uses the middleware above. https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L56-L58C11 ```python @bp.route("/flash/add", methods=["POST"], endpoint="add") @local_check def add(): ``` Notice how we are not authorized to access this endpoint when sending a request.  However, if we set the `Host` header to be `127.0.0.1:9666`, we notice the request returns `success`.  Checking the front end as an admin, we now see that this did indeed succeed.  ### Impact An unauthenticated user can perform actions that should only be available to authenticated users.

How to fix CVE-2025-7346

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed