Salt, File Contents Overwrite Vulnerability, CVE-2025-XXXX (Moderate)

By /

Listen to this Post

How the CVE Works:

The vulnerability occurs when Salt’s “on-demand pillar” data is requested, triggering the `VirtKey` class. This class uses unvalidated input to construct paths to the “pki directory.” Attackers can exploit this by manipulating the input to overwrite file contents in the pki directory, potentially auto-accepting unauthorized Minion authentication keys. The default configuration enables this functionality, relying on a pre-placed authorization file at a specific location.

DailyCVE Form:

Platform: Salt
Version: >= 3006.0rc1, < 3006.12 | >= 3007.0rc1, < 3007.4
Vulnerability: File overwrite via unvalidated input
Severity: Moderate
Date: Jun 13, 2025

Prediction: Patch expected by Jun 20, 2025

What Undercode Say:

Analytics:

grep -r "VirtKey" /opt/salt/
salt-key --list-all

How Exploit:

1. Craft malicious pillar request.

2. Overwrite pki directory files.

3. Force auto-accept rogue Minion key.

Protection from this CVE:

  • Update to 3006.12 or 3007.4.
  • Disable on-demand pillar if unused.
  • Restrict pki directory permissions.

Impact:

Unauthorized Minion authentication.

Privilege escalation via key trust.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top