Listen to this Post
How the CVE Works
The vulnerability exists in SaltStack’s ‘on demand’ pillar functionality, which allows minions to request pillar data dynamically. An attacker with a compromised minion key can craft a malicious git URL containing command injection payloads. When the master processes this URL while fetching pillar data, the injected commands execute with the same privileges as the Salt master process. This occurs due to insufficient input sanitization in the git URL handling logic, enabling arbitrary code execution.
DailyCVE Form
Platform: SaltStack
Version: >=3006.0rc1, <3006.12 | >=3007.0rc1, <3007.4
Vulnerability: Command Injection
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch by Jun 27, 2025
What Undercode Say
salt '' pillar.items Lists pillar data salt-run pillar.show_pillar Displays pillar contents git clone --filter=blob:none "malicious_payload" Exploit vector
How Exploit
1. Compromise minion key.
2. Craft malicious git URL with command injection.
3. Trigger on-demand pillar fetch.
Protection from this CVE
- Update to 3006.12 or 3007.4.
- Restrict minion key access.
- Sanitize git URL inputs.
Impact
- Arbitrary command execution.
- Master process compromise.
- Privilege escalation risk.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
