{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dalfox/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox"],"_cs_severities":["medium"],"_cs_tags":["dos","vulnerability","dalfox"],"_cs_type":"advisory","_cs_vendors":["github.com"],"content_html":"\u003cp\u003eDalfox, a security tool, is susceptible to an unauthenticated remote denial-of-service vulnerability (CVE-2026-45090) within its \u003ccode\u003eParameterAnalysis\u003c/code\u003e function. This vulnerability arises from a two-stage worker design where the second stage inadvertently utilizes a closed channel from the first stage. When a scanned parameter is reflected during the second stage of the analysis and \u003ccode\u003eprocessParams\u003c/code\u003e attempts to write to this already-closed channel, it triggers a Go runtime panic, resulting in the termination of the entire Dalfox process in server mode. This can be exploited remotely by any unauthenticated caller with network access to the Dalfox REST API, as the default configuration lacks an API key and the second stage activates whenever \u003ccode\u003eoptions.Data != \u0026quot;\u0026quot;\u003c/code\u003e (i.e., the attacker supplies the \u003ccode\u003edata\u003c/code\u003e field) and the target reflects at least one parameter. This issue affects Dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a POST request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the Dalfox REST API server.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003eurl\u003c/code\u003e parameter pointing to a controlled, reflective HTTP server (e.g., \u003ccode\u003ehttp://127.0.0.1:18083/?q=test\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes a JSON payload containing \u003ccode\u003eoptions\u003c/code\u003e with \u003ccode\u003e\u0026quot;data\u0026quot;: \u0026quot;q=test\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;mining-dict\u0026quot;: true\u003c/code\u003e, and \u003ccode\u003e\u0026quot;use-headless\u0026quot;: false\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eoptions.Data\u003c/code\u003e value triggers the activation of the second worker stage in \u003ccode\u003eParameterAnalysis\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emining-dict: true\u003c/code\u003e setting populates the POST-body parameter map (\u003ccode\u003edp\u003c/code\u003e) with numerous entries from the GF-XSS wordlist.\u003c/li\u003e\n\u003cli\u003eThe target server reflects the \u003ccode\u003eq\u003c/code\u003e parameter, causing the \u003ccode\u003evrs\u003c/code\u003e variable to evaluate to true within the \u003ccode\u003eprocessParams\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eprocessParams\u003c/code\u003e attempts to send a \u003ccode\u003eparamResult\u003c/code\u003e to the closed \u003ccode\u003eresults\u003c/code\u003e channel: \u003ccode\u003eresults \u0026lt;- paramResult\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis operation triggers a Go runtime panic because the \u003ccode\u003eresults\u003c/code\u003e channel was already closed after the first stage of \u003ccode\u003eParameterAnalysis\u003c/code\u003e, causing the Dalfox server process to crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit results in a complete crash of the Dalfox server process upon receiving a single unauthenticated POST request. This leads to the loss of any in-flight scan results, and requires a manual restart of the server. If Dalfox is managed by an automated process manager (such as systemd or Docker with \u003ccode\u003e--restart=always\u003c/code\u003e), this vulnerability can lead to a denial-of-service loop, as the server will repeatedly crash and restart upon receiving malicious requests. The attack requires network access to port 6664 (the default Dalfox API port) and a reflective HTTP server accessible to the Dalfox instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix (Option 1) by allocating a fresh \u003ccode\u003eresults\u003c/code\u003e channel for the second stage within the \u003ccode\u003eParameterAnalysis\u003c/code\u003e function to prevent writing to a closed channel.\u003c/li\u003e\n\u003cli\u003eAs a temporary measure, implement Option 3 and add a \u003ccode\u003erecover\u003c/code\u003e statement in the \u003ccode\u003eprocessParams\u003c/code\u003e goroutines to catch the panic and prevent the process from crashing while a proper fix is deployed.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Dalfox DoS Attack via /scan Endpoint\u0026rdquo; to detect POST requests to the \u003ccode\u003e/scan\u003c/code\u003e endpoint with the specific \u003ccode\u003eoptions\u003c/code\u003e payload that triggers the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Dalfox server logs for \u0026ldquo;panic: send on closed channel\u0026rdquo; messages originating from \u003ccode\u003epkg/scanning/parameterAnalysis.go:299\u003c/code\u003e, which indicates a successful exploit of CVE-2026-45090.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:28Z","date_published":"2026-05-12T15:10:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-dos/","summary":"Dalfox is vulnerable to an unauthenticated remote denial-of-service (DoS) vulnerability (CVE-2026-45090) due to a closed channel write in the `ParameterAnalysis` function, triggered by a crafted POST request that crashes the Dalfox server process.","title":"Dalfox Unauthenticated Remote DoS via Closed-Channel Write in ParameterAnalysis","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dalfox/v2 (\u003c= 2.12.0)"],"_cs_severities":["critical"],"_cs_tags":["rce","dalfox","cve-2026-45087"],"_cs_type":"advisory","_cs_vendors":["Hahwul"],"content_html":"\u003cp\u003eDalfox, a security auditing tool, is vulnerable to unauthenticated remote code execution (CVE-2026-45087) when running in REST API server mode (\u003ccode\u003edalfox server\u003c/code\u003e) with default settings. The server binds to \u003ccode\u003e0.0.0.0:6664\u003c/code\u003e and, unless explicitly configured with \u003ccode\u003e--api-key\u003c/code\u003e, does not require authentication. A flaw exists in how the server handles \u003ccode\u003emodel.Options\u003c/code\u003e, specifically \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e, which are deserialized directly from attacker-supplied JSON in \u003ccode\u003ePOST /scan\u003c/code\u003e. Because \u003ccode\u003edalfox.Initialize\u003c/code\u003e propagates these fields into the final scan options without sanitization, any unauthenticated attacker can execute arbitrary shell commands on the host OS whenever a scan finding is triggered. This vulnerability affects dalfox versions 2.12.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker starts a \u003ccode\u003edalfox server\u003c/code\u003e instance in REST API mode without specifying an API key, leaving it open to unauthenticated access.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious web server that reflects input, ensuring any scan against it will produce a finding.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/scan\u003c/code\u003e endpoint of the dalfox server.\u003c/li\u003e\n\u003cli\u003eThe request includes a JSON payload containing the URL of the malicious web server and \u003ccode\u003eoptions\u003c/code\u003e with malicious values for \u003ccode\u003efound-action\u003c/code\u003e and \u003ccode\u003efound-action-shell\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epostScanHandler\u003c/code\u003e deserializes the JSON payload into a \u003ccode\u003eReq\u003c/code\u003e struct, including the \u003ccode\u003eoptions\u003c/code\u003e field which contains the malicious \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eScanFromAPI\u003c/code\u003e function is called, passing the attacker-controlled options to \u003ccode\u003edalfox.Initialize\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edalfox.Initialize\u003c/code\u003e copies the attacker-supplied \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e values into the scan options without sanitization.\u003c/li\u003e\n\u003cli\u003eWhen a finding is triggered during the scan, the \u003ccode\u003efoundAction\u003c/code\u003e function executes the attacker-supplied shell command using \u003ccode\u003eexec.Command\u003c/code\u003e, achieving remote code execution on the dalfox host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in unauthenticated remote code execution on the host running \u003ccode\u003edalfox server\u003c/code\u003e. This grants the attacker full read access to secrets, configuration files, and credentials accessible to the dalfox process. The attacker can perform arbitrary file writes, enabling persistence, backdoor installation, and data exfiltration. The default \u003ccode\u003e0.0.0.0\u003c/code\u003e bind address exposes the server to all network interfaces, potentially including public-facing ones in misconfigured environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRequire API key:\u003c/strong\u003e Enforce the use of \u003ccode\u003e--api-key\u003c/code\u003e in REST server mode by rejecting server startup if no API key is provided, as described in the remediation suggestion within the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStrip \u003ccode\u003eFoundAction\u003c/code\u003e / \u003ccode\u003eFoundActionShell\u003c/code\u003e:\u003c/strong\u003e Sanitize API-sourced requests by removing the \u003ccode\u003eFoundAction\u003c/code\u003e and \u003ccode\u003eFoundActionShell\u003c/code\u003e options in the \u003ccode\u003epostScanHandler\u003c/code\u003e to prevent untrusted callers from setting execution-control options.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules:\u003c/strong\u003e Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Dalfox:\u003c/strong\u003e Upgrade to a patched version of Dalfox that addresses CVE-2026-45087.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T15:10:12Z","date_published":"2026-05-12T15:10:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/","summary":"Dalfox in REST API server mode is vulnerable to unauthenticated remote code execution (CVE-2026-45087) because the server binds to 0.0.0.0:6664 by default without requiring an API key and deserializes attacker-supplied JSON in `POST /scan` without stripping the `FoundAction` and `FoundActionShell` fields, allowing arbitrary command execution.","title":"Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`","url":"https://feed.craftedsignal.io/briefs/2026-05-dalfox-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Dalfox","version":"https://jsonfeed.org/version/1.1"}