Listen to this Post
How the CVE Works
The vulnerability (CVE-2025-XXXX) in SaltStack stems from insufficient path validation in the `recv_file` method, allowing attackers to perform directory traversal attacks. By manipulating file paths, an authenticated attacker can write arbitrary files to the master cache directory. This could lead to remote code execution (RCE) if combined with other exploits, as the master server runs with elevated privileges. The flaw affects Salt versions >= 3007.0rc1 (< 3007.4) and >= 3006.0rc1 (< 3006.12). Attackers exploit this by sending crafted file paths containing `../` sequences, bypassing directory restrictions.
DailyCVE Form
Platform: SaltStack
Version: 3006.0rc1-3006.11
Vulnerability: Directory Traversal
Severity: Critical
Date: Jun 13, 2025
Prediction: Patch by Jun 20, 2025
What Undercode Say
salt-call --local file.read /etc/passwd salt-run fileserver.update
Exploit PoC (simplified)
import salt.client
client = salt.client.LocalClient()
client.cmd('target', 'file.recv', ['../../malicious_file'])
How Exploit
- Authenticated attacker sends malicious file path.
- Path traversal bypasses restrictions.
- Arbitrary file written to master cache.
Protection from this CVE
- Upgrade to 3006.12 or 3007.4.
- Restrict Salt master access.
- Monitor file writes.
Impact
- Remote code execution (RCE).
- Unauthorized file access.
- Master server compromise.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
