Here is the analysis of the vulnerability based on the provided

By /

Listen to this Post

pyload-ng, Information Disclosure, CVE-Pending (Medium)

How the Vulnerability Works

This vulnerability in pyload-ng stems from a combination of three programming flaws that together allow an unauthenticated attacker to view full system error logs.
1. Unauthenticated Route: The WebUI exposes the route `/web/` in `app_blueprint.py` which renders user-controlled template names. Critically, this route is not protected by the `@login_required` decorator, making it accessible to anyone.
2. Unsafe Error Handler: The global exception handler in `handlers.py` uses `traceback.format_exc()` to capture full stack trace details when an error occurs.
3. Verbose Error Response: These captured stack traces are appended and rendered into the final HTML error page via the `base.html` template.
By requesting a non-existent template name through the unauthenticated `/web/` route (e.g., GET /web/non_existent), an attacker can force the application into an unhandled exception. Instead of a generic 500 error, the server returns the full, detailed Python traceback, exposing internal paths and code structure to the remote attacker.

DailyCVE Form

Platform: `python pyload-ng`
Version: `all versions`
Vulnerability : `information leak`
Severity: `low` < `medium`
date: `(current date)`

Prediction: `patch not known`

What Undercode Say:

Analytics show this is a low-complexity attack but with medium potential impact for reconnaissance. An exposed stack trace can reveal:
– Absolute file paths of the server
– Internal function names and logic
– Third-party library versions
This information significantly increases the success rate of follow-on attacks.

Exploit:

An unauthenticated attacker can exploit this by sending a simple GET request to a malformed WebUI path:

curl http://target-ip:8001/web/trigger_error

Python Proof of Concept (from )
def main():
... setup code ...
raised_exception = True Example trigger
traceback_details = "Full Traceback (most recent call last)..." Returns full stack

The server will respond with a full Python stack trace, disclosing internal configuration.

Protection from this CVE

  • Primary Mitigation: Remove the `@bp.route(“/web/“)` endpoint or protect it with @login_required.
  • Update Error Handler: Modify `handlers.py` to sanitize `messages` before rendering in base.html, displaying only a generic “Internal Server Error”.
  • Disable Debug Mode: Ensure the application is not running in a debug or development environment that enables verbose error pages.

Impact

  • Vulnerability type: Information Disclosure / Stack Trace Leakage.
  • Attack Surface: Unauthenticated, remote access over the network.
  • Impact: Exposure of sensitive internal application data (paths, code structure), providing attackers with critical intelligence to map the application and chain other exploits.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top