CVE-2025-7346
published 2025-07-08CVE-2025-7346: Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages
PriorityP357high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
23.2th percentile
Any unauthenticated attacker can bypass the localhost
restrictions posed by the application and utilize this to create
arbitrary packages
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | 0 – 0.5.0b3.dev88 | — |
| pyload | pyload | <= 0.5.0b3.dev77 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
osv·2025-07-08
CVE-2025-7346 [HIGH] pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
### Summary
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.
### Details
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`.
### PoC
The application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction.
https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36
`
GHSA
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
ghsa·2025-07-08
CVE-2025-7346 [HIGH] CWE-284 pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
### Summary
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages.
### Details
Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`.
### PoC
The application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction.
https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36
`
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-08
Published