CVE-2026-45089: Dalfox Path Traversal Vulnerability

CVE-2026-45089 Overview

CVE-2026-45089 is an arbitrary file write vulnerability in Dalfox, an open-source Cross-Site Scripting (XSS) scanner and automation utility. The flaw affects versions prior to 2.13.0 when Dalfox runs in REST API server mode. Attacker-controlled JSON fields (output, output-all, and debug) in model.Options are deserialized from request bodies and passed unchanged into the logging path. The logger opens the supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log content to it. The file write executes outside the IsLibrary guard, so it runs in server mode where file output was never intended. The default configuration requires no API key, exposing the endpoint to unauthenticated network callers. This issue is classified as [CWE-73] External Control of File Name or Path.

Critical Impact

Unauthenticated network attackers can create or append to any file writable by the Dalfox process, enabling configuration tampering, log injection, and potential privilege abuse on the host filesystem.

Affected Products

• Dalfox versions prior to 2.13.0 running in REST API server mode
• Default deployments without API key authentication configured
• Any host filesystem location writable by the Dalfox process user

Discovery Timeline

• 2026-05-27 - CVE-2026-45089 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45089

Vulnerability Analysis

Dalfox exposes a REST API server mode intended for programmatic scan orchestration. The API accepts JSON request bodies that map directly to the model.Options struct via JSON tags. Three fields control output destinations: output, output-all, and debug. These values flow unchanged through dalfox.Initialize into the scan engine's logging code.

The DalLog function opens the supplied path with append, create, and write-only flags. This logic sits outside the IsLibrary conditional that should gate filesystem writes when Dalfox runs as a server or embedded library. Because the guard is missing, file output executes during every server-mode scan that includes these fields.

The default configuration ships without an API key requirement. Any network caller that can reach the listening port can submit scan requests and direct log output to arbitrary filesystem paths.

Root Cause

The root cause is improper input validation on filesystem paths combined with a missing execution-context guard. The DalLog writer trusts attacker-supplied path strings without sanitization, allowlisting, or directory containment checks. The IsLibrary mode check that disables filesystem side effects in library and server contexts does not wrap the log file write block.

Attack Vector

An unauthenticated attacker sends an HTTP request to the Dalfox REST API scan endpoint. The JSON body sets output, output-all, or debug to a target path such as a cron file, SSH authorized_keys, shell profile, or web root file. When Dalfox processes the scan, the logger creates or appends scan output to the attacker-specified location. Repeated requests allow controlled content placement in any location writable by the Dalfox process account. The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-8hf9-3q64-q2qf.

Detection Methods for CVE-2026-45089

Indicators of Compromise

• Unexpected files created or modified by the Dalfox process user containing scan log content or XSS payload strings
• HTTP POST requests to the Dalfox REST API endpoint with output, output-all, or debug JSON fields containing absolute paths or path traversal sequences
• New entries in sensitive files such as ~/.ssh/authorized_keys, /etc/cron.d/, or web-accessible directories matching Dalfox log format

Detection Strategies

• Inspect HTTP request bodies destined for Dalfox API listeners for JSON keys output, output-all, and debug referencing paths outside expected scan output directories
• Monitor file creation events from the Dalfox process and alert on writes to paths outside a designated scan output directory
• Audit Dalfox deployment configurations to identify instances running in server mode without an API key set

Monitoring Recommendations

• Enable filesystem audit logging on hosts running Dalfox and forward events to a central log platform for correlation
• Track outbound network exposure of Dalfox API ports and restrict listeners to loopback or internal management networks
• Review process command lines for Dalfox invocations using server subcommand flags and verify version is 2.13.0 or later

How to Mitigate CVE-2026-45089

Immediate Actions Required

• Upgrade Dalfox to version 2.13.0 or later, which fixes the missing IsLibrary guard around log file writes
• Restrict network access to Dalfox REST API listeners using firewall rules or bind to loopback only
• Run Dalfox as a low-privilege account with no write access to sensitive system paths or user home directories

Patch Information

The fix is included in Dalfox 2.13.0. Release details and source changes are available in the GitHub Dalfox Release v2.13.0 notes. The patch enforces the IsLibrary execution-context check around the file write block in DalLog so server and library modes no longer write attacker-controlled paths.

Workarounds

• Configure an API key for the Dalfox REST API server and reject unauthenticated requests at a reverse proxy
• Deploy Dalfox inside a container or chroot with a minimal writable filesystem to limit the blast radius of arbitrary writes
• Place a reverse proxy in front of the Dalfox API that strips or rejects requests containing output, output-all, or debug fields until the host is patched

# Configuration example: upgrade and restrict network exposure
go install github.com/hahwul/dalfox/v2@v2.13.0

# Bind the API server to loopback only
dalfox server --host 127.0.0.1 --port 6664