GHSA-8HF9-3Q64-Q2QF

Vulnerability from github – Published: 2026-05-12 15:08 – Updated: 2026-05-12 15:08
VLAI
Summary
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option
Details

Summary

When dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logging path. The logger opens the attacker-supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log lines to it. Critically, this file write block lives outside the IsLibrary guard in DalLog, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem.

Severity

High (CVSS 3.1: 8.2)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

  • Attack Vector: Network — server binds to 0.0.0.0:6664 by default.
  • Attack Complexity: Low — no preconditions; all trigger options (output, output-all, debug) are fully attacker-supplied in the JSON body.
  • Privileges Required: None — --api-key defaults to "", so the auth middleware is never registered.
  • User Interaction: None.
  • Scope: Unchanged — the file write stays within the dalfox process's OS authority.
  • Confidentiality Impact: None — this is a write-only primitive; no data is returned to the caller.
  • Integrity Impact: High — the attacker has full control over which file path is opened, enabling creation of new files or corruption of existing files anywhere the dalfox process has write permission. While the log content format is semi-fixed, the file path is entirely attacker-determined, making the integrity violation complete with respect to file targeting.
  • Availability Impact: Low — corrupting application configuration files or log files on the host can degrade the availability of other services relying on those files.

Affected Component

  • cmd/server.goinit() (line 51): --api-key defaults to "" — no auth by default
  • pkg/server/server.gosetupEchoServer() (line 68): auth middleware only registered when APIKey != ""
  • pkg/server/server.gopostScanHandler() (lines 173–191): rq.Options (including OutputFile, OutputAll, Debug) passed to ScanFromAPI without sanitization
  • lib/func.goInitialize() (line 107): OutputFile explicitly propagated from caller options; OutputAll (line 167) and Debug (line 176) likewise
  • internal/printing/logger.goDalLog() (lines 230–244): os.OpenFile(options.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) executes outside the IsLibrary guard

CWE

  • CWE-306: Missing Authentication for Critical Function
  • CWE-73: External Control of File Name or Path
  • CWE-434: Unrestricted Upload of File with Dangerous Type (write-path variant)

Description

output, output-all, and debug Are Fully Attacker-Controlled

model.Options exposes all three trigger fields with JSON tags:

// pkg/model/options.go:88,85,88
OutputFile  string `json:"output,omitempty"`
OutputAll   bool   `json:"output-all,omitempty"`
Debug       bool   `json:"debug,omitempty"`

postScanHandler binds the entire Req.Options from the JSON body and passes it directly to ScanFromAPI:

// pkg/server/server.go:173-191
rq := new(Req)
if err := c.Bind(rq); err != nil { ... }
go ScanFromAPI(rq.URL, rq.Options, *options, sid)

Initialize explicitly copies all three fields into newOptions:

// lib/func.go:107, 167, 176
"OutputFile": {&newOptions.OutputFile, options.OutputFile},
...
"OutputAll":  {&newOptions.OutputAll, options.OutputAll},
...
"Debug":      {&newOptions.Debug, options.Debug},

The File Write Is Not Guarded by IsLibrary

Initialize always sets IsLibrary: true (line 20) and Silence: true (line 44) in its returned options — the intent being that the scan engine runs in embedded/library mode during API calls, suppressing terminal I/O. DalLog does respect this for stderr output: lines 203–228 route logs to ScanResult.Logs (not stderr) when IsLibrary is true. However, the file write block at lines 230–244 is positioned after and outside that if-else:

// internal/printing/logger.go
mutex.Lock()
if options.IsLibrary {
    options.ScanResult.Logs = append(options.ScanResult.Logs, text)  // API path
} else {
    // stderr printing (CLI path)
}

// ← file write is here, unconditionally — no IsLibrary check
if options.OutputFile != "" {
    var fdtext string
    if ftext != "" {
        fdtext = ftext
        f, err := os.OpenFile(options.OutputFile,
            os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
        if err != nil {
            fmt.Fprintln(os.Stderr, "output file error (file)")
        }
        defer f.Close()
        if _, err := f.WriteString(fdtext + "\n"); err != nil {
            fmt.Fprintln(os.Stderr, "output file error (write)")
        }
    }
}
mutex.Unlock()

The ftext variable is populated whenever allWrite is true (options.Debug || options.OutputAll). Since both are attacker-supplied, both conditions are trivially satisfied.

What Gets Written

Log lines of the form:

[*] Starting scan [SID:<id>] / URL: <attacker-supplied-url>
[I] Checking BAV
[E] connection refused
[DEBUG] <internal state>
...

The URL appears verbatim in log messages, giving the attacker partial influence over the written content. While the format is not fully arbitrary (fixed prefixes like [*], [I], [E]), the file path is entirely attacker-controlled. The flags O_CREATE (creates the file if absent) and O_APPEND (never truncates) mean the attacker can: - Create new files at arbitrary paths - Append log content to existing files (corrupting configs, auth files, cron entries if the line happens to match syntax)

No Defense at Any Layer

The same opt-in API key gap applies here as in all prior findings:

// pkg/server/server.go:68-70
if options.ServerType == "rest" && options.APIKey != "" {
    e.Use(apiKeyAuth(options.APIKey, options))
}

There is no path allowlist, no IsLibrary guard on the file write, and no stripping of OutputFile from API-sourced requests anywhere in the codebase.

Proof of Concept

# Step 1 — Start dalfox REST server (default: no API key)
go run . server --host 127.0.0.1 --port 16664 --type rest

# Step 2 — Verify health (unauthenticated)
curl -s http://127.0.0.1:16664/health
# Expected: {"code":200,"msg":"ok"}

# Step 3 — Trigger arbitrary file creation with attacker-controlled path
curl -s -X POST http://127.0.0.1:16664/scan \
  -H 'Content-Type: application/json' \
  --data '{
    "url": "http://127.0.0.1:1/?x=1",
    "options": {
      "output": "/tmp/dalfox_sink_poc.log",
      "output-all": true,
      "debug": true,
      "use-headless": false
    }
  }'

# Step 4 — Verify file was created and written to by the dalfox process
sleep 2
cat /tmp/dalfox_sink_poc.log
# Expected:
# [*] Starting scan [SID:...] / URL: http://127.0.0.1:1/?x=1
# [I] Checking BAV
# [E] ...

No X-API-KEY header is required. Replace /tmp/dalfox_sink_poc.log with any path writable by the dalfox process: /var/www/html/injected.txt, /etc/cron.d/dalfox, ~/.ssh/authorized_keys (appending log lines that won't break key format but pollute the file), etc.

Impact

  • Arbitrary file creation: The attacker can create files at any path on the dalfox host filesystem accessible to the dalfox process, including web-serving directories, cron drop-in directories, and application config directories.
  • Arbitrary file append/corruption: Existing files can have log-format lines appended, degrading parsers that expect strict formats (sshd_config, crontab, /etc/hosts, application config files).
  • Partial content control via URL: The scan target URL appears verbatim in log output; combined with creative path targeting, this may enable injection into certain file formats.
  • No authentication required in the default deployment.
  • When dalfox runs under a privileged account (e.g., in a CI pipeline or as root in a container), the blast radius extends to system-wide files.

Recommended Remediation

Option 1: Strip filesystem-dangerous fields from API-sourced requests (preferred)

Nullify all fields that touch the local filesystem before passing options to ScanFromAPI. This is the same remediation recommended for the found-action RCE and custom-payload-file file-read findings and should be applied as a single consolidated patch:

// pkg/server/server.go — in postScanHandler, before ScanFromAPI:
rq.Options.OutputFile = ""
rq.Options.OutputAll = false          // safe to leave user value; file write is blocked by OutputFile=""
rq.Options.CustomPayloadFile = ""
rq.Options.CustomBlindXSSPayloadFile = ""
rq.Options.FoundAction = ""
rq.Options.FoundActionShell = ""
rq.Options.HarFilePath = ""

Option 2: Guard the file write with IsLibrary in DalLog

Move the OutputFile write block inside the else branch so it only executes in non-library (CLI) mode:

// internal/printing/logger.go — restructure the if-else:
if options.IsLibrary {
    options.ScanResult.Logs = append(options.ScanResult.Logs, text)
} else {
    // existing stderr printing logic...

    // file write belongs here, not after the if-else
    if options.OutputFile != "" && ftext != "" {
        f, err := os.OpenFile(options.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
        ...
    }
}

This fix addresses the root structural cause — the file write was intended for CLI mode only, and gating it on !IsLibrary matches that intent. Option 1 is still recommended as the primary fix; Option 2 adds defence-in-depth but requires care to not break legitimate CLI usage.

Option 3: Require --api-key at server startup

As with the other server-mode findings, making authentication mandatory eliminates the unauthenticated attack surface entirely:

// cmd/server.go — in runServerCmd:
if serverType == "rest" && apiKey == "" {
    fmt.Fprintln(os.Stderr, "ERROR: --api-key is required when running in REST server mode.")
    os.Exit(1)
}

All three options should be applied together.

Credit

Emmanuel David

Github:- https://github.com/drmingler.

Severity
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hahwul/dalfox/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-434",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:08:27Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nWhen dalfox is run in REST API server mode, the `output`, `output-all`, and `debug` fields in `model.Options` are JSON-tagged and deserialized directly from the attacker\u0027s request body, then propagated unchanged through `dalfox.Initialize` into the scan engine\u0027s logging path. The logger opens the attacker-supplied path with `os.O_APPEND|os.O_CREATE|os.O_WRONLY` and writes scan log lines to it. Critically, this file write block lives outside the `IsLibrary` guard in `DalLog`, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem.\n\n## Severity\n\n**High** (CVSS 3.1: 8.2)\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L`\n\n- **Attack Vector:** Network \u2014 server binds to `0.0.0.0:6664` by default.\n- **Attack Complexity:** Low \u2014 no preconditions; all trigger options (`output`, `output-all`, `debug`) are fully attacker-supplied in the JSON body.\n- **Privileges Required:** None \u2014 `--api-key` defaults to `\"\"`, so the auth middleware is never registered.\n- **User Interaction:** None.\n- **Scope:** Unchanged \u2014 the file write stays within the dalfox process\u0027s OS authority.\n- **Confidentiality Impact:** None \u2014 this is a write-only primitive; no data is returned to the caller.\n- **Integrity Impact:** High \u2014 the attacker has full control over which file path is opened, enabling creation of new files or corruption of existing files anywhere the dalfox process has write permission. While the log content format is semi-fixed, the file path is entirely attacker-determined, making the integrity violation complete with respect to file targeting.\n- **Availability Impact:** Low \u2014 corrupting application configuration files or log files on the host can degrade the availability of other services relying on those files.\n\n## Affected Component\n\n- `cmd/server.go` \u2014 `init()` (line 51): `--api-key` defaults to `\"\"` \u2014 no auth by default\n- `pkg/server/server.go` \u2014 `setupEchoServer()` (line 68): auth middleware only registered when `APIKey != \"\"`\n- `pkg/server/server.go` \u2014 `postScanHandler()` (lines 173\u2013191): `rq.Options` (including `OutputFile`, `OutputAll`, `Debug`) passed to `ScanFromAPI` without sanitization\n- `lib/func.go` \u2014 `Initialize()` (line 107): `OutputFile` explicitly propagated from caller options; `OutputAll` (line 167) and `Debug` (line 176) likewise\n- `internal/printing/logger.go` \u2014 `DalLog()` (lines 230\u2013244): `os.OpenFile(options.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)` executes outside the `IsLibrary` guard\n\n## CWE\n\n- **CWE-306**: Missing Authentication for Critical Function\n- **CWE-73**: External Control of File Name or Path\n- **CWE-434**: Unrestricted Upload of File with Dangerous Type (write-path variant)\n\n## Description\n\n### `output`, `output-all`, and `debug` Are Fully Attacker-Controlled\n\n`model.Options` exposes all three trigger fields with JSON tags:\n\n```go\n// pkg/model/options.go:88,85,88\nOutputFile  string `json:\"output,omitempty\"`\nOutputAll   bool   `json:\"output-all,omitempty\"`\nDebug       bool   `json:\"debug,omitempty\"`\n```\n\n`postScanHandler` binds the entire `Req.Options` from the JSON body and passes it directly to `ScanFromAPI`:\n\n```go\n// pkg/server/server.go:173-191\nrq := new(Req)\nif err := c.Bind(rq); err != nil { ... }\ngo ScanFromAPI(rq.URL, rq.Options, *options, sid)\n```\n\n`Initialize` explicitly copies all three fields into `newOptions`:\n\n```go\n// lib/func.go:107, 167, 176\n\"OutputFile\": {\u0026newOptions.OutputFile, options.OutputFile},\n...\n\"OutputAll\":  {\u0026newOptions.OutputAll, options.OutputAll},\n...\n\"Debug\":      {\u0026newOptions.Debug, options.Debug},\n```\n\n### The File Write Is Not Guarded by `IsLibrary`\n\n`Initialize` always sets `IsLibrary: true` (line 20) and `Silence: true` (line 44) in its returned options \u2014 the intent being that the scan engine runs in embedded/library mode during API calls, suppressing terminal I/O. `DalLog` does respect this for stderr output: lines 203\u2013228 route logs to `ScanResult.Logs` (not stderr) when `IsLibrary` is true. However, the file write block at lines 230\u2013244 is positioned **after and outside** that `if-else`:\n\n```go\n// internal/printing/logger.go\nmutex.Lock()\nif options.IsLibrary {\n    options.ScanResult.Logs = append(options.ScanResult.Logs, text)  // API path\n} else {\n    // stderr printing (CLI path)\n}\n\n// \u2190 file write is here, unconditionally \u2014 no IsLibrary check\nif options.OutputFile != \"\" {\n    var fdtext string\n    if ftext != \"\" {\n        fdtext = ftext\n        f, err := os.OpenFile(options.OutputFile,\n            os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)\n        if err != nil {\n            fmt.Fprintln(os.Stderr, \"output file error (file)\")\n        }\n        defer f.Close()\n        if _, err := f.WriteString(fdtext + \"\\n\"); err != nil {\n            fmt.Fprintln(os.Stderr, \"output file error (write)\")\n        }\n    }\n}\nmutex.Unlock()\n```\n\nThe `ftext` variable is populated whenever `allWrite` is true (`options.Debug || options.OutputAll`). Since both are attacker-supplied, both conditions are trivially satisfied.\n\n### What Gets Written\n\nLog lines of the form:\n\n```\n[*] Starting scan [SID:\u003cid\u003e] / URL: \u003cattacker-supplied-url\u003e\n[I] Checking BAV\n[E] connection refused\n[DEBUG] \u003cinternal state\u003e\n...\n```\n\nThe URL appears verbatim in log messages, giving the attacker partial influence over the written content. While the format is not fully arbitrary (fixed prefixes like `[*] `, `[I] `, `[E] `), the **file path is entirely attacker-controlled**. The flags `O_CREATE` (creates the file if absent) and `O_APPEND` (never truncates) mean the attacker can:\n- Create new files at arbitrary paths\n- Append log content to existing files (corrupting configs, auth files, cron entries if the line happens to match syntax)\n\n### No Defense at Any Layer\n\nThe same opt-in API key gap applies here as in all prior findings:\n\n```go\n// pkg/server/server.go:68-70\nif options.ServerType == \"rest\" \u0026\u0026 options.APIKey != \"\" {\n    e.Use(apiKeyAuth(options.APIKey, options))\n}\n```\n\nThere is no path allowlist, no `IsLibrary` guard on the file write, and no stripping of `OutputFile` from API-sourced requests anywhere in the codebase.\n\n## Proof of Concept\n\n```bash\n# Step 1 \u2014 Start dalfox REST server (default: no API key)\ngo run . server --host 127.0.0.1 --port 16664 --type rest\n\n# Step 2 \u2014 Verify health (unauthenticated)\ncurl -s http://127.0.0.1:16664/health\n# Expected: {\"code\":200,\"msg\":\"ok\"}\n\n# Step 3 \u2014 Trigger arbitrary file creation with attacker-controlled path\ncurl -s -X POST http://127.0.0.1:16664/scan \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\n    \"url\": \"http://127.0.0.1:1/?x=1\",\n    \"options\": {\n      \"output\": \"/tmp/dalfox_sink_poc.log\",\n      \"output-all\": true,\n      \"debug\": true,\n      \"use-headless\": false\n    }\n  }\u0027\n\n# Step 4 \u2014 Verify file was created and written to by the dalfox process\nsleep 2\ncat /tmp/dalfox_sink_poc.log\n# Expected:\n# [*] Starting scan [SID:...] / URL: http://127.0.0.1:1/?x=1\n# [I] Checking BAV\n# [E] ...\n```\n\nNo `X-API-KEY` header is required. Replace `/tmp/dalfox_sink_poc.log` with any path writable by the dalfox process: `/var/www/html/injected.txt`, `/etc/cron.d/dalfox`, `~/.ssh/authorized_keys` (appending log lines that won\u0027t break key format but pollute the file), etc.\n\n## Impact\n\n- **Arbitrary file creation**: The attacker can create files at any path on the dalfox host filesystem accessible to the dalfox process, including web-serving directories, cron drop-in directories, and application config directories.\n- **Arbitrary file append/corruption**: Existing files can have log-format lines appended, degrading parsers that expect strict formats (sshd_config, crontab, /etc/hosts, application config files).\n- **Partial content control via URL**: The scan target URL appears verbatim in log output; combined with creative path targeting, this may enable injection into certain file formats.\n- **No authentication required** in the default deployment.\n- When dalfox runs under a privileged account (e.g., in a CI pipeline or as root in a container), the blast radius extends to system-wide files.\n\n## Recommended Remediation\n\n### Option 1: Strip filesystem-dangerous fields from API-sourced requests (preferred)\n\nNullify all fields that touch the local filesystem before passing options to `ScanFromAPI`. This is the same remediation recommended for the `found-action` RCE and `custom-payload-file` file-read findings and should be applied as a single consolidated patch:\n\n```go\n// pkg/server/server.go \u2014 in postScanHandler, before ScanFromAPI:\nrq.Options.OutputFile = \"\"\nrq.Options.OutputAll = false          // safe to leave user value; file write is blocked by OutputFile=\"\"\nrq.Options.CustomPayloadFile = \"\"\nrq.Options.CustomBlindXSSPayloadFile = \"\"\nrq.Options.FoundAction = \"\"\nrq.Options.FoundActionShell = \"\"\nrq.Options.HarFilePath = \"\"\n```\n\n### Option 2: Guard the file write with `IsLibrary` in `DalLog`\n\nMove the `OutputFile` write block inside the `else` branch so it only executes in non-library (CLI) mode:\n\n```go\n// internal/printing/logger.go \u2014 restructure the if-else:\nif options.IsLibrary {\n    options.ScanResult.Logs = append(options.ScanResult.Logs, text)\n} else {\n    // existing stderr printing logic...\n\n    // file write belongs here, not after the if-else\n    if options.OutputFile != \"\" \u0026\u0026 ftext != \"\" {\n        f, err := os.OpenFile(options.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)\n        ...\n    }\n}\n```\n\nThis fix addresses the root structural cause \u2014 the file write was intended for CLI mode only, and gating it on `!IsLibrary` matches that intent. Option 1 is still recommended as the primary fix; Option 2 adds defence-in-depth but requires care to not break legitimate CLI usage.\n\n### Option 3: Require `--api-key` at server startup\n\nAs with the other server-mode findings, making authentication mandatory eliminates the unauthenticated attack surface entirely:\n\n```go\n// cmd/server.go \u2014 in runServerCmd:\nif serverType == \"rest\" \u0026\u0026 apiKey == \"\" {\n    fmt.Fprintln(os.Stderr, \"ERROR: --api-key is required when running in REST server mode.\")\n    os.Exit(1)\n}\n```\n\nAll three options should be applied together.\n\n##Credit\n\nEmmanuel David\n\nGithub:- https://github.com/drmingler.",
  "id": "GHSA-8hf9-3q64-q2qf",
  "modified": "2026-05-12T15:08:27Z",
  "published": "2026-05-12T15:08:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/security/advisories/GHSA-8hf9-3q64-q2qf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hahwul/dalfox"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/releases/tag/v2.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.