CVE-2026-45090

Name of the Vulnerable Software and Affected Versions dalfox (affected versions not specified)

Description A structural ordering error in the ParameterAnalysis() function within pkg/scanning/parameterAnalysis.go allows an unauthenticated remote attacker to crash the dalfox server process. The issue occurs because the results channel is closed after the first worker stage completes, but is then passed to a second worker stage that processes POST-body parameters. When the processParams() function identifies a reflected parameter in the second stage, it attempts to write to the already-closed results channel, triggering a Go runtime panic.

This can be remotely triggered via the REST API (default port 6664) when the data variable is provided in the request and the target URL reflects at least one parameter. Since the default configuration does not require an API key, any network peer can execute this attack, leading to a complete denial of service where the server process terminates and requires a manual restart.

Recommendations Allocate a fresh results channel for the second stage of parameter analysis instead of reusing the closed channel from the first stage. Merge both parameter maps into a single shared queue and worker stage to eliminate the two-stage design. As a temporary workaround, implement a recover mechanism within the processParams() goroutines to prevent the entire process from crashing when a panic occurs.