Listen to this Post
How the CVE Works
The vulnerability (CVE-2025-XXXXX) in SaltStack allows directory traversal attacks during minion file cache creation. The master’s default cache fails to properly sanitize user-supplied paths, enabling attackers to manipulate file paths using `../` sequences. This could allow writing or overwriting files outside the intended cache directory. The flaw arises due to insufficient validation when processing cached files, permitting unauthorized filesystem access. Exploitation requires minion access, but successful attacks could lead to arbitrary file writes, configuration tampering, or further system compromise.
DailyCVE Form
Platform: SaltStack
Version: 3006.0rc1-3006.11, 3007.0rc1-3007.3
Vulnerability: Directory Traversal
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch by Jun 20, 2025
What Undercode Say
Check Salt version salt --versions-report Exploit PoC (simulated traversal) curl -X POST -d "../../evil_file" http://salt-master/cache Mitigation test grep "file_cache_path" /etc/salt/master
How Exploit
1. Minion sends malformed path (`../../../target/file`).
2. Master caches file outside restricted directory.
3. Attacker overwrites critical system files.
Protection from this CVE
- Update to Salt 3006.12/3007.4.
- Restrict minion cache permissions.
- Audit file_cache_path configurations.
Impact
- Arbitrary file writes.
- Privilege escalation.
- Configuration hijacking.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
