Salt junos Module, Code Injection via YAML Payload, High Severity

Listen to this Post

The vulnerability in Salt’s junos execution module arises from the use of unsafe YAML deserialization functions, specifically `yaml.load()` from the PyYAML library. When the module processes YAML data, such as from network configuration templates or external inputs, it fails to restrict dangerous YAML constructs. Attackers can craft a malicious YAML payload containing special tags like `!!python/object/apply` to embed arbitrary Python code. Upon deserialization, this code executes within the Salt process context, which typically runs with elevated privileges. Exploitation requires the payload to be processed by vulnerable junos module functions, often via Salt states, pillars, or API calls. The junos module is used for managing Juniper devices, so compromised Salt masters could lead to network device manipulation. The issue stems from not using yaml.safe_load(), which only allows basic YAML types. A sample payload might include `!!python/object/apply:os.system [“cat /etc/shadow”]` to execute commands. This allows remote code execution if an attacker can supply YAML to the vulnerable module. Salt’s architecture, where YAML is commonly used for data serialization, increases the attack surface. The vulnerability is critical in environments where Salt masters are exposed or YAML inputs are from untrusted sources. Patches must replace `yaml.load()` with safe alternatives and validate all YAML inputs. Until fixed, administrators should audit YAML usage in Salt configurations and restrict access to junos module functions.
Platform: Salt
Version: All versions
Vulnerability: YAML code injection
Severity: High
Date: Jan 30 2026

Prediction: Patch expected Feb 2026

What Undercode Say:

Showing bash commands and codes related to the blog

Craft malicious YAML payload
cat > exploit.yml << 'EOF'
!!python/object/apply:os.system ["id > /tmp/exploit"]
EOF
Simulate vulnerable YAML load in Python
python3 -c "import yaml; yaml.load(open('exploit.yml'))"

how Exploit:

Attackers inject malicious YAML via Salt junos module functions, such as `junos.load_yaml` or configuration templates. The payload executes arbitrary commands on the Salt master or minion when deserialized.

Protection from this CVE

Use yaml.safe_load(), sanitize YAML inputs, restrict module access, update Salt to patched versions, implement network segmentation.

Impact:

Remote code execution, Salt master compromise, network device tampering, privilege escalation, data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top