CVE-2024-39205: 
Python vulnerability analysis and mitigation

A critical remote code execution (RCE) vulnerability identified as CVE-2024-39205 affects pyload-ng version 0.5.0b3.dev85 running under Python 3.11 or below. The vulnerability allows attackers to execute arbitrary code via crafted HTTP requests to the application (Rapid7, GitHub Advisory). The vulnerability was discovered and disclosed in October 2024, with a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

The vulnerability stems from the use of js2py (CVE-2024-28397) in pyload-ng's /flash/addcrypted2 API endpoint. While this endpoint was designed to only accept localhost connections, attackers can bypass this restriction by manipulating the HOST header to access the API. The vulnerability specifically involves a sandbox escape in js2py that allows attackers to obtain a reference to a Python object in the js2py environment, enabling them to bypass pyimport restrictions and execute arbitrary commands on the host (GitHub PoC).

The vulnerability allows unauthenticated attackers to achieve remote code execution with the privileges of the running pyload-ng process. Successful exploitation could lead to complete system compromise, allowing attackers to execute arbitrary commands on the affected system (GitHub Advisory).

The primary mitigation is to run pyload-ng with Python 3.12 or above, as the application doesn't use js2py in these versions. Alternatively, users should upgrade to the newest version of pyload-ng when a patch becomes available (GitHub Advisory).