CVE-2025-54802: 
Python vulnerability analysis and mitigation

pyLoad, a free and open-source Download Manager written in Python, was found to contain a critical path traversal vulnerability (CVE-2025-54802) in versions 0.5.0b3.dev89 and below. The vulnerability was discovered in the CNL Blueprint component, specifically in the addcrypted endpoint, which allowed unauthenticated attackers to write arbitrary files outside the designated storage directory (GitHub Advisory).

The vulnerability exists in the addcrypted endpoint's package parameter handling within the CNL Blueprint component. The flaw stems from unsafe path construction in the dlc_path variable, where user-controlled input is insufficiently sanitized before being used in file operations. The vulnerability received a CVSS v3.1 score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (GitHub Advisory, Debian Tracker).

The vulnerability allows unauthenticated attackers to write arbitrary files outside the intended directory through path traversal. When exploited, it enables remote code execution as root by allowing attackers to inject malicious cron jobs or system files. This effectively transforms a simple file upload endpoint into a vector for complete system compromise (GitHub Advisory).

The vulnerability has been fixed in version 0.5.0b3.dev90. The fix includes implementing proper path normalization and validation to ensure that constructed file paths remain within the intended download directory. Users are strongly advised to upgrade to the patched version (GitHub Commit).