CVE-2025-7346: 
Python vulnerability analysis and mitigation

CVE-2025-7346 is a security vulnerability discovered in Pyload that allows unauthenticated attackers to bypass localhost restrictions. The vulnerability was disclosed on July 8, 2025, affecting Pyload versions prior to 0.5.0b3.dev77. The issue enables attackers to bypass application's localhost restrictions and create arbitrary packages (GitHub Advisory, NVD).

The vulnerability stems from improper access control in the application's middleware that validates the Host header. The application checks whether the Host header has a specific value, but this can be bypassed by setting the Host header to '127.0.0.1:9666'. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N. The weakness has been classified as CWE-281 (Improper Preservation of Permissions) (GitHub Advisory, NVD).

The vulnerability allows an unauthenticated attacker to perform actions that should only be available to authenticated users. Specifically, attackers can bypass localhost restrictions and create arbitrary packages, potentially compromising the system's security (GitHub Advisory).

As of the disclosure date, there is no official patch available for this vulnerability. The latest affected version is 0.5.0b3.dev77, and no patched versions have been released (GitHub Advisory).