CVE-2025-54140: 
Python vulnerability analysis and mitigation

CVE-2025-54140 is a path traversal vulnerability discovered in pyLoad, a free and open-source Download Manager written in Python. The vulnerability was identified in version 0.5.0b3.dev89 and affects the /json/upload endpoint. The issue was disclosed on July 21, 2025, and has been fixed in version 0.5.0b3.dev90 (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) with a CVSS v3.1 base score of 7.5 (High). The attack vector is network-based with low attack complexity, requiring no privileges or user interaction. The vulnerability exists in the /json/upload endpoint where the application fails to properly sanitize the filename parameter, allowing attackers to manipulate file paths using '../' sequences (GitHub Advisory).

The vulnerability allows authenticated attackers to write arbitrary files to any location on the system accessible to the pyLoad process. This can lead to several severe consequences including Remote Code Execution (RCE), local privilege escalation, system-wide compromise, and the establishment of persistence through backdoors (GitHub Advisory).

The vulnerability has been patched in version 0.5.0b3.dev90 through the implementation of proper filename sanitization using werkzeug.utils.secure_filename(). Users are advised to upgrade to this version or later to protect against this vulnerability (GitHub Commit).