PT-2026-40550 · Dalfox · Dalfox
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Dalfox versions prior to 2.13.0
Description
When running in REST API server mode, the software fails to sanitize the
custom-payload-file field within model.Options, which is deserialized directly from the request body and passed to the dalfox.Initialize function and the scan engine. The engine utilizes the voltFile.ReadLinesOrLiteral() function to read lines from any file path accessible to the process and embeds them as XSS payloads in outbound HTTP requests sent to a target URL controlled by the attacker. Since the server does not require an API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files from the host system line-by-line through scan traffic.Recommendations
Update to version 2.13.0.
As a temporary mitigation, restrict access to the
custom-payload-file field by stripping filesystem-dangerous fields from API-sourced requests.
Ensure the server is started with a mandatory --api-key to prevent unauthenticated access.Exploit
Fix
Missing Authentication
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Dalfox