CVE-2026-33183 Overview
A path traversal vulnerability exists in Saloon, a PHP library used to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to construct file paths under the configured fixture directory without proper validation. This allowed attackers to use path segments such as ../traversal or ../../etc/passwd to escape the intended directory, enabling read or write operations on arbitrary files accessible to the process.
Critical Impact
When fixture names are derived from user or attacker-controlled input, this vulnerability can lead to disclosure of sensitive files or overwriting of critical system files, potentially compromising the entire application and underlying system.
Affected Products
- Saloon PHP Library versions prior to 4.0.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33183 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33183
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The flaw resides in the fixture layer of the Saloon library, where user-supplied fixture names are concatenated directly into file paths without sanitization or validation.
When an application uses Saloon's fixture functionality for mocking API responses or recording responses for later playback, it relies on fixture names to determine file storage locations. If these fixture names contain special path characters like .. (parent directory reference), / (forward slash), or \ (backslash), an attacker can manipulate the final resolved path to point outside the intended fixture directory.
The vulnerability is exploitable over the network without requiring authentication or user interaction, making it a significant risk for applications that expose fixture name parameters to external input.
Root Cause
The root cause lies in the insufficient validation of fixture names before they are used to construct file paths. The fixture layer accepted arbitrary strings as fixture names without checking for dangerous path traversal sequences (..), path separators (/, \), or null bytes. This allowed crafted input to break out of the configured fixture directory hierarchy and access arbitrary locations on the filesystem.
Attack Vector
An attacker can exploit this vulnerability by supplying a malicious fixture name through any input vector that eventually feeds into Saloon's fixture system. Attack scenarios include:
Read Operations (Information Disclosure):
When the application reads fixtures (e.g., for mocking), an attacker-controlled fixture name like ../../etc/passwd could cause the application to read and potentially expose sensitive system files.
Write Operations (File Overwrite):
When recording API responses, a malicious fixture name could cause the application to write response data to critical system files, potentially leading to configuration tampering, code injection, or denial of service.
The attack requires no authentication and can be performed remotely if the application accepts fixture names from external sources such as request parameters, headers, or configuration values.
Detection Methods for CVE-2026-33183
Indicators of Compromise
- Unusual file access patterns in application logs showing attempts to read or write files outside the designated fixture directory
- Presence of path traversal sequences (../, ..\\, ....//) in HTTP request parameters or application configuration
- Unexpected modifications to system configuration files or application files outside the normal application scope
- Error logs indicating failed file operations in sensitive system directories
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in incoming requests
- Deploy file integrity monitoring (FIM) on critical system files and directories to detect unauthorized modifications
- Enable detailed logging for file system operations within the application and monitor for anomalous access patterns
- Conduct regular code audits to identify instances where user input flows into fixture name parameters
Monitoring Recommendations
- Monitor application logs for path traversal attempt patterns such as encoded sequences (%2e%2e%2f, %2e%2e/, ..%2f)
- Set up alerts for any file operations occurring outside the designated fixture directories
- Track and audit all HTTP request parameters that could potentially influence fixture naming
- Implement runtime application self-protection (RASP) to detect path traversal attempts at the application layer
How to Mitigate CVE-2026-33183
Immediate Actions Required
- Upgrade Saloon PHP library to version 4.0.0 or later immediately
- Review application code to identify all locations where user input could influence fixture names
- Implement input validation at the application layer as an additional defense even after patching
- Audit file system permissions to limit the impact of potential exploitation
Patch Information
The fix implemented in version 4.0.0 includes multiple layers of protection:
- Fixture Layer Validation: The fixture layer now rejects names containing /, \, .., or null bytes, and restricts fixture names to a safe character set
- Storage Layer Defense-in-Depth: The storage layer now validates that the resolved absolute path remains under the configured base directory before performing any read or write operation
For upgrade instructions, refer to the Saloon Upgrade Guide. Additional technical details are available in the GitHub Security Advisory GHSA-f7xc-5852-fj99.
Workarounds
- If immediate upgrade is not possible, implement strict input validation on all parameters that could influence fixture names, rejecting any input containing ., /, \, or null bytes
- Restrict file system permissions for the PHP process to limit access to only necessary directories
- Use chroot jails or containerization to limit the filesystem scope accessible to the application
- Disable fixture recording functionality if it is not required in production environments
# Verify Saloon version and upgrade
composer show saloonphp/saloon | grep versions
composer require saloonphp/saloon:^4.0.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
