cbcvebase.
CVE-2023-0297
published 2023-01-14

CVE-2023-0297: Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
96.99%
99.9th percentile
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

Affected

3 ranges
VendorProductVersion rangeFixed in
pyload-ng_projectpyload-ng>= 0 < 0.5.0b3.dev310.5.0b3.dev31
pyloadpyload<= 0.4.20
pyloadpyload_pyload>= unspecified < 0.5.0b3.dev310.5.0b3.dev31

Detection & IOCsextracted from sources · hover to see the quote

path/flash/addcrypted2
port9666
port8000
commandjk=pyimport%20os;os.system("<cmd>");f=function%20f2(){};
commandjk=pyimport+os%3Bos.system%28%22{{cmd}}%22%29%3Bf%3Dfunction+f2%28%29%7B%7D%3B&packages=YyVIbzmZ&crypted=ZbIlxWYe&passwords=oJFFUtTw
  • Detect exploit attempts by matching POST requests to /flash/addcrypted2 with a body containing the string 'pyimport' — this is the injection vector used to invoke Python code via js2py.
  • Monitor for inbound unauthenticated POST requests to the /flash/addcrypted2 endpoint, especially from external hosts on port 9666 (Click 'N' Load service).
  • Use the Nuclei template matcher: a GET to /flash/addcrypted2 returning a body containing 'JDownloader' confirms a vulnerable pyLoad instance.
  • Use Shodan/FOFA/ZoomEye queries to identify exposed pyLoad instances: html:"pyload", http.title:"login - pyload", title="login - pyload", app="pyLoad".
  • The Content-Type header 'application/x-www-form-urlencoded' is used in the exploit POST request; correlate with the /flash/addcrypted2 path and 'pyimport' in the body for high-fidelity detection.
  • ·The primary pyLoad service on port 8000 is not reachable by external hosts by default; exploitation from the internet targets port 9666 (Click 'N' Load). Ensure firewall rules block external access to port 9666 on unpatched instances.
  • ·The vulnerability is pre-authentication — no credentials are required to exploit it, making any network-exposed pyLoad instance immediately at risk.
  • ·The injection is routed through the js2py library's pyimport functionality; disabling or removing js2py, or upgrading to pyload 0.5.0b3.dev31 or later, closes the attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.