Listen to this Post
How the CVE Works
CVE-2025-46096 is a critical directory traversal vulnerability in Solon v3.1.2, specifically within the `solon-faas-luffy` component. An attacker can exploit improper path sanitization to traverse directories and inject malicious scripts, leading to cross-site scripting (XSS) attacks. The flaw occurs when processing metrics data, allowing unauthorized file access or remote code execution via crafted HTTP requests. The lack of input validation enables attackers to bypass security controls and compromise the system.
DailyCVE Form
Platform: Solon
Version: 3.1.2
Vulnerability: Directory Traversal → XSS
Severity: Critical
Date: 06/23/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Analytics:
curl -X GET "http://target/metrics?path=../../../etc/passwd" grep -r "solon-faas-luffy" /var/log/solon
Exploit:
import requests
payload = "../../../malicious.js"
response = requests.get(f"http://victim.com/metrics?path={payload}")
Protection:
- Update to Solon v3.1.3+
- Implement strict input validation
- Disable `solon-faas-luffy` if unused
Impact:
- Remote code execution
- Data exfiltration
- System compromise
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
