SSL certificate verification disabled in pyload/pyload


Reported on

Jan 19th 2023


When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Proof of Concept

  1. Add package with a link whose host's SSL certificate is invalid. E.g.
  2. Go to the Files tab and see there is the content of the above-mentioned link.


This vulnerability is capable of allowing an attacker to intercept data sent over HTTPS connections .

We are processing your report and will contact the pyload team within 24 hours. 2 months ago
We have contacted a member of the pyload team and are waiting to hear back 2 months ago
pyload/pyload maintainer validated this vulnerability 2 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev44 with commit a9098b 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability 2 months ago has been validated
to join this conversation