pyLoad Server-Side Request Forgery Vulnerability Allowing Cloud Metadata Exfiltration

A Server-Side Request Forgery (SSRF) vulnerability has been identified in pyLoad versions prior to 0.5.0b3.dev97. The issue arises because the download engine accepts arbitrary URLs without proper validation. This flaw allows authenticated attackers to access internal network services and exfiltrate sensitive cloud provider metadata. On DigitalOcean droplets, this vulnerability could lead to the exposure of critical infrastructure data, including droplet ID, network configuration, region, authentication keys, and SSH keys stored in user-data or cloud-init.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network services and complete exfiltration of cloud metadata. On platforms like DigitalOcean, this includes sensitive information such as the droplet ID, network details, region, authentication keys, and SSH keys from user-data or cloud-init. Additionally, this vulnerability could facilitate lateral movement within the network by discovering and enumerating internal services.

Reproduction

To reproduce this vulnerability, log into a pyLoad account and navigate to the package tab. Enter a package name and input a URL pointing to the DigitalOcean metadata endpoint into the link section. After adding the package, download the link through the pyLoad interface. The downloaded file will contain the requested metadata, demonstrating the successful exploitation of the SSRF vulnerability.

Remediation

Users are advised to update to pyLoad version 0.5.0b3.dev97, which includes a patch for this vulnerability. Additionally, implement URL validation in the download engine to whitelist allowed URL schemes, block requests to private IP ranges and cloud metadata endpoints, and validate request destinations before initiating downloads.