GHSA-rfgh-63mg-8pwm: Improper Authorization in pyLoad-ng WebUI Endpoints

pyLoad-ng is a download manager that exposes both a core application programming interface (API) and a web-based user interface (WebUI). The WebUI utilizes a JSON blueprint to handle asynchronous requests from the frontend client. The core API enforces granular permissions, defining explicit roles such as Perms.ADD, Perms.DELETE, and Perms.MODIFY to govern user actions.

A security vulnerability, designated as GHSA-rfgh-63mg-8pwm, exists in the WebUI's JSON blueprint authorization layer. The WebUI implements authorization checks using route decorators before passing execution to the core API. A mismatch exists between the permission level enforced by the WebUI decorators and the strict permission requirements defined within the underlying core API methods.

This improper authorization allows authenticated users holding only lower-tier permissions to perform administrative or modifying actions. Specifically, users restricted to ADD or DELETE capabilities can invoke endpoints that execute core functions requiring MODIFY privileges. This failure in defense-in-depth enables privilege escalation within the application context.

The root cause of GHSA-rfgh-63mg-8pwm is an improper authorization implementation within src/pyload/webui/app/blueprints/json_blueprint.py. The routing layer explicitly assigns authorization checks via the @login_required decorator. These decorators specify a string value representing the required permission to access the specific endpoint.

The vulnerability manifests across three distinct endpoints. The /json/package_order and /json/link_order routes are protected by the @login_required("ADD") decorator. When invoked, these routes pass execution to api.order_package(...) and api.order_file(...), respectively. The core api implementation explicitly requires Perms.MODIFY to execute these reordering functions.

Similarly, the /json/abort_link endpoint is secured with the @login_required("DELETE") decorator. This route subsequently calls the api.stop_downloads(...) core method, which also mandates Perms.MODIFY. The web layer fails to perform the correct authorization verification, resulting in a bypass of the core API's intended security model. The presence of correctly implemented decorators on other endpoints, such as /json/edit_package requiring MODIFY, confirms this is an implementation oversight rather than a design choice.

To understand the mechanics, we evaluate the interaction between the WebUI blueprint and the core API. The vulnerable implementation in json_blueprint.py relies on the routing wrapper to validate access before passing execution downward. The web application effectively acts as an intermediary with elevated permissions when calling the core API on behalf of the user, failing to re-verify if the user's session token holds the required core permissions.

The conceptual code snippet below illustrates the discrepancy between the routing configuration and the backend logic. The decorator checks the session state for the "ADD" permission, allowing the request to proceed if the minimal condition is met. The underlying api.order_package function assumes the web layer has already validated the necessary "MODIFY" requirement.

# Vulnerable route definition in json_blueprint.py
@bp.route('/json/package_order', methods=['POST'])
@login_required("ADD") # Flaw: Only checks for ADD permission
def package_order():
    pack_id = request.json.get('pack_id')
    pos = request.json.get('pos')
    # The web layer invokes the core API which requires MODIFY
    api.order_package(pack_id, pos)
    return jsonify({"status": "success"})

A comprehensive fix requires synchronizing the @login_required decorators with the strict permission requirements of the backend functions. The decorators for /json/package_order, /json/link_order, and /json/abort_link must be updated to @login_required("MODIFY"). This ensures the authorization check at the web application boundary matches the security requirements of the underlying business logic.

Exploitation of GHSA-rfgh-63mg-8pwm requires an attacker to possess valid credentials for the pyLoad WebUI. The user account must be assigned at least the ADD permission role to reach the vulnerable reordering endpoints, or the DELETE permission role to reach the abort endpoint. No specific network positioning is required beyond standard HTTP access to the application port.

The attack relies on crafting standard HTTP POST requests to the affected JSON endpoints. The attacker authenticates to establish a session, then transmits JSON payloads containing the required parameters, such as pack_id and pos, to the target routes. The WebUI framework processes the request, validates the weak authorization requirement, and executes the restricted core API method.

A functional Proof of Concept (PoC) utilizing the Flask test client demonstrates the exploit execution. The script provisions a mock environment with a user restricted strictly to Perms.ADD. The user successfully submits POST requests to /json/package_order and /json/link_order. The application responds with HTTP status 200, confirming the execution of the privileged core API calls.

# Extract from PoC script demonstrating the exploit execution
with app.test_client() as c:
    with c.session_transaction() as s:
        s['authenticated'] = True
        s['name'] = 'attacker'
        s['role'] = int(Role.USER)
        s['perms'] = int(Perms.ADD) # Attacker holds only ADD permissions
 
    # Invoking MODIFY actions as an ADD-only user
    r1 = c.post('/json/package_order', json={'pack_id': 5, 'pos': 0})
    r2 = c.post('/json/link_order', json={'file_id': 77, 'pos': 1})

The vulnerability carries a CVSS v3.1 score of 5.4, categorized as Moderate severity. The scoring vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) reflects the requirement for low-privileged network access without user interaction. The flaw does not expose sensitive data, leading to a confidentiality impact metric of None.

The integrity impact is categorized as Low. Attackers can arbitrarily modify the state of the download queue by reordering packages and individual files. While this disrupts the intended operational flow configured by administrators, it does not allow the attacker to execute arbitrary code or corrupt critical system files. The scope is restricted to the internal application state managed by pyLoad.

The availability impact is also categorized as Low. Users holding the DELETE permission can abort active downloads initiated by other users via the /json/abort_link endpoint. This action terminates the transfer process, denying service to the expected recipients of the download. The system remains operational and services can be manually restarted, limiting the severity of the availability disruption.

Administrators must upgrade the pyload-ng installation to a release subsequent to version 0.5.0b3. The development team published version 0.5.0b3.dev97 to address this authorization mismatch alongside other issues, though administrators should monitor the official repository for stable branch releases. The software patch corrects the decorator strings to strictly enforce MODIFY permissions, neutralizing the vulnerability.

In environments where immediate patching is unfeasible, administrators must conduct a permissions audit. Review all user accounts and revoke ADD and DELETE roles from accounts that do not strictly require them. Security engineers should recognize that any user retaining these roles effectively possesses limited MODIFY capabilities until the application is updated.

Detection engineering teams can implement active scanning utilizing custom Nuclei templates. A detection template can authenticate with a low-privilege test account, issue a localized POST request to /json/package_order, and evaluate the HTTP response. A status code of 200 accompanied by successful state modification indicates a vulnerable instance.