Summary
Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRET_KEY variable.
Details
Any unauthenticated user can browse to a specific URL to expose the Flask config, including the SECRET_KEY variable.
PoC
Run pyload in the default configuration by running the following command
pyload
Now browse to http://localhost:8000/render/info.html. Notice how the Flask configuration gets displayed.
I was quite amused by this finding. I think it's a very interesting coming together of things that is so unlikely to happen. Below I will detail my process a bit more.
I was looking through the code to see how the authorization mechanism is implemented when I spotted this route, which can be accessed by any unauthenticated actor
@bp.route("/render/<path:filename>", endpoint="render")
def render(filename):
mimetype = mimetypes.guess_type(filename)[0] or "text/html"
data = render_template(filename)
return flask.Response(data, mimetype=mimetype)
This route allows me to load in any of the predefined templates. However, these templates will be lacking any form of context, and as such it doesn't seem too useful. That is until I loaded the info.html template and scrolled down, revealing the Flask config. This was purely accidental, and I did not understand why it happened, until I looked at the template
<tr>
<td>{{ _("Config folder:") }}</td>
<td>{{ config }}</td>
</tr>
In Flask, every template always gets the Flask config passed to it as the config variable. In the normal execution of this template, this value gets overwritten in the function below, but since we're calling it and bypassing this function altogether, it doesn't get overwritten. Would this variable not be named config and named configuration or Config instead, then this exploit wouldn't work. The likelihood of this occurring is so small, but it seems to have happened here.
context = {
"python": sys.version,
"os": " ".join((os.name, sys.platform) + extra),
"version": api.get_server_version(),
"folder": PKGDIR,
"config": api.get_userdir(),
"download": conf["general"]["storage_folder"]["value"],
"freespace": format.size(api.free_space()),
"webif": conf["webui"]["port"]["value"],
"language": conf["general"]["language"]["value"],
}
return render_template("info.html", **context)
Impact
Depending on the how the Flask config data is used, it could have detrimental consequences for the security. It's crucial to keep the SECRET_KEY secret and never expose it in your code or configuration files.
CVE-2024-21644 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.5.0b3.dev77); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-21644? CVE-2024-21644 is a high-severity security vulnerability in pyload-ng (pip), affecting versions < 0.5.0b3.dev77. It is fixed in 0.5.0b3.dev77.
- How severe is CVE-2024-21644? CVE-2024-21644 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of pyload-ng are affected by CVE-2024-21644? pyload-ng (pip) versions < 0.5.0b3.dev77 is affected.
- Is there a fix for CVE-2024-21644? Yes. CVE-2024-21644 is fixed in 0.5.0b3.dev77. Upgrade to this version or later.
- Is CVE-2024-21644 exploitable, and should I be worried? Whether CVE-2024-21644 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-21644 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-21644? Upgrade
pyload-ngto 0.5.0b3.dev77 or later.