https://feed.craftedsignal.io/products/dalfox/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 15:11:08 +0000https://feed.craftedsignal.io/briefs/2026-05-dalfox-file-read/Tue, 12 May 2026 15:11:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dalfox-file-read/Dalfox server mode is vulnerable to an unauthenticated arbitrary file read with out-of-band exfiltration via the `custom-payload-file` parameter, allowing attackers to read sensitive files on the host.Dalfox, when run in REST API server mode, is vulnerable to an unauthenticated arbitrary file read. The custom-payload-file field in model.Options is deserialized from the request body and used to read files. An attacker can exploit this by sending a POST request to the /scan endpoint with a custom-payload-file parameter pointing to a file on the server. Dalfox then reads the file line by line and includes each line as a payload in outbound HTTP requests directed at an attacker-controlled target URL. This vulnerability exists because the server, by default, does not require an API key. This allows an unauthenticated network attacker to exfiltrate the contents of arbitrary files readable by the dalfox process. The affected version is dalfox/v2 <= 2.12.0.

Attack Chain

1. Attacker sends a POST request to the /scan endpoint of the Dalfox REST API server (typically running on 0.0.0.0:6664).
2. The request includes a JSON body with the url, options, custom-payload-file, skip-discovery, and param fields set.
3. The custom-payload-file field contains the path to the file the attacker wants to read (e.g., /etc/hostname).
4. The skip-discovery option is set to true, and param is set to ["q"] to bypass checks.
5. Dalfox reads the specified file line by line using voltFile.ReadLinesOrLiteral.
6. Each line of the file is embedded as the value of the q query parameter in a GET request to the attacker-controlled URL.
7. Dalfox sends the HTTP GET request to the attacker’s server, exfiltrating one line of the file.
8. The attacker receives the file content via the query parameter of the HTTP GET request.

Impact

Successful exploitation allows an attacker to read arbitrary files on the Dalfox host that the Dalfox process has access to. This includes sensitive data like SSH private keys, TLS certificates, .env files containing credentials, cloud credential files, and system configuration files. If combined with other vulnerabilities, such as the found-action RCE, the attacker could potentially gain full control of the server.

Recommendation

• Implement the preferred remediation: Apply a denylist of fields that should never be accepted from the REST API, as suggested in the source, to prevent attackers from abusing CustomPayloadFile and other sensitive parameters.
• Require the --api-key flag at server startup, as suggested in the source, to mandate authentication for all API requests.
• Deploy the Sigma rule Detect Dalfox Unauthenticated File Read via API to detect attempts to exploit this vulnerability by monitoring HTTP POST requests to the /scan endpoint with a custom-payload-file parameter.

]]>highadvisoryunauthenticated-accessfile-readghsahttps://feed.craftedsignal.io/briefs/2026-05-dalfox-dos/Tue, 12 May 2026 15:10:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dalfox-dos/Dalfox is vulnerable to an unauthenticated remote denial-of-service (DoS) vulnerability (CVE-2026-45090) due to a closed channel write in the `ParameterAnalysis` function, triggered by a crafted POST request that crashes the Dalfox server process.Dalfox, a security tool, is susceptible to an unauthenticated remote denial-of-service vulnerability (CVE-2026-45090) within its ParameterAnalysis function. This vulnerability arises from a two-stage worker design where the second stage inadvertently utilizes a closed channel from the first stage. When a scanned parameter is reflected during the second stage of the analysis and processParams attempts to write to this already-closed channel, it triggers a Go runtime panic, resulting in the termination of the entire Dalfox process in server mode. This can be exploited remotely by any unauthenticated caller with network access to the Dalfox REST API, as the default configuration lacks an API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This issue affects Dalfox versions 2.12.0 and earlier.

Attack Chain

1. An attacker sends a POST request to the /scan endpoint of the Dalfox REST API server.
2. The attacker includes a url parameter pointing to a controlled, reflective HTTP server (e.g., http://127.0.0.1:18083/?q=test).
3. The attacker includes a JSON payload containing options with "data": "q=test", "mining-dict": true, and "use-headless": false.
4. The options.Data value triggers the activation of the second worker stage in ParameterAnalysis.
5. The mining-dict: true setting populates the POST-body parameter map (dp) with numerous entries from the GF-XSS wordlist.
6. The target server reflects the q parameter, causing the vrs variable to evaluate to true within the processParams function.
7. processParams attempts to send a paramResult to the closed results channel: results <- paramResult.
8. This operation triggers a Go runtime panic because the results channel was already closed after the first stage of ParameterAnalysis, causing the Dalfox server process to crash.

Impact

A successful exploit results in a complete crash of the Dalfox server process upon receiving a single unauthenticated POST request. This leads to the loss of any in-flight scan results, and requires a manual restart of the server. If Dalfox is managed by an automated process manager (such as systemd or Docker with --restart=always), this vulnerability can lead to a denial-of-service loop, as the server will repeatedly crash and restart upon receiving malicious requests. The attack requires network access to port 6664 (the default Dalfox API port) and a reflective HTTP server accessible to the Dalfox instance.

Recommendation

• Apply the suggested fix (Option 1) by allocating a fresh results channel for the second stage within the ParameterAnalysis function to prevent writing to a closed channel.
• As a temporary measure, implement Option 3 and add a recover statement in the processParams goroutines to catch the panic and prevent the process from crashing while a proper fix is deployed.
• Deploy the Sigma rule “Detect Dalfox DoS Attack via /scan Endpoint” to detect POST requests to the /scan endpoint with the specific options payload that triggers the vulnerability.
• Monitor Dalfox server logs for “panic: send on closed channel” messages originating from pkg/scanning/parameterAnalysis.go:299, which indicates a successful exploit of CVE-2026-45090.

]]>mediumadvisorydosvulnerabilitydalfoxhttps://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/Tue, 12 May 2026 15:10:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/Dalfox in REST API server mode is vulnerable to unauthenticated remote code execution (CVE-2026-45087) because the server binds to 0.0.0.0:6664 by default without requiring an API key and deserializes attacker-supplied JSON in `POST /scan` without stripping the `FoundAction` and `FoundActionShell` fields, allowing arbitrary command execution.Dalfox, a security auditing tool, is vulnerable to unauthenticated remote code execution (CVE-2026-45087) when running in REST API server mode (dalfox server) with default settings. The server binds to 0.0.0.0:6664 and, unless explicitly configured with --api-key, does not require authentication. A flaw exists in how the server handles model.Options, specifically FoundAction and FoundActionShell, which are deserialized directly from attacker-supplied JSON in POST /scan. Because dalfox.Initialize propagates these fields into the final scan options without sanitization, any unauthenticated attacker can execute arbitrary shell commands on the host OS whenever a scan finding is triggered. This vulnerability affects dalfox versions 2.12.0 and earlier.

Attack Chain

1. The attacker starts a dalfox server instance in REST API mode without specifying an API key, leaving it open to unauthenticated access.
2. The attacker sets up a malicious web server that reflects input, ensuring any scan against it will produce a finding.
3. The attacker crafts a POST request to the /scan endpoint of the dalfox server.
4. The request includes a JSON payload containing the URL of the malicious web server and options with malicious values for found-action and found-action-shell.
5. The postScanHandler deserializes the JSON payload into a Req struct, including the options field which contains the malicious FoundAction and FoundActionShell values.
6. The ScanFromAPI function is called, passing the attacker-controlled options to dalfox.Initialize.
7. dalfox.Initialize copies the attacker-supplied FoundAction and FoundActionShell values into the scan options without sanitization.
8. When a finding is triggered during the scan, the foundAction function executes the attacker-supplied shell command using exec.Command, achieving remote code execution on the dalfox host.

Impact

Successful exploitation results in unauthenticated remote code execution on the host running dalfox server. This grants the attacker full read access to secrets, configuration files, and credentials accessible to the dalfox process. The attacker can perform arbitrary file writes, enabling persistence, backdoor installation, and data exfiltration. The default 0.0.0.0 bind address exposes the server to all network interfaces, potentially including public-facing ones in misconfigured environments.

Recommendation

• Require API key: Enforce the use of --api-key in REST server mode by rejecting server startup if no API key is provided, as described in the remediation suggestion within the advisory.
• Strip FoundAction / FoundActionShell: Sanitize API-sourced requests by removing the FoundAction and FoundActionShell options in the postScanHandler to prevent untrusted callers from setting execution-control options.
• Deploy the Sigma rules: Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect exploitation attempts.
• Upgrade Dalfox: Upgrade to a patched version of Dalfox that addresses CVE-2026-45087.

]]>criticaladvisoryrcedalfoxcve-2026-45087