CVE-2026-45090 Overview
CVE-2026-45090 is a race condition vulnerability in Dalfox, an open-source Cross-Site Scripting (XSS) scanner and automation utility. The flaw resides in ParameterAnalysis within pkg/scanning/parameterAnalysis.go, where two sequential worker stages write to the same results channel. The first stage closes the channel, but the second stage continues sending to it, triggering a Go runtime panic that crashes the entire dalfox process. The vulnerability affects versions prior to 2.13.0 and is fixed in 2.13.0.
Critical Impact
In server mode, unauthenticated remote attackers can crash the Dalfox process by submitting a request with a populated data field against any target that reflects at least one parameter.
Affected Products
- Dalfox versions prior to 2.13.0
- Dalfox server mode REST API with default configuration (no API key)
- Any deployment exposing ParameterAnalysis with POST-body parameters enabled
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-45090 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45090
Vulnerability Analysis
The vulnerability is a classic Go concurrency error categorized under [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization). Dalfox's ParameterAnalysis function orchestrates two sequential worker stages that share a single results channel for output. After the first stage finishes processing query parameters, the code executes close(results) at line 438. The second stage, which handles POST-body parameters (dp), then launches with the same already-closed channel as its sink. When processParams detects a reflected parameter, it performs results <- paramResult on the closed channel. Sending on a closed channel is an unrecoverable runtime panic in Go, terminating the process immediately.
Root Cause
The root cause is improper channel lifecycle management across worker stages. The developer closed the shared channel after the first stage instead of deferring closure until all producers had finished writing. The second stage inherits an unusable channel reference, but the panic only manifests when reflection logic actually attempts a send, making the bug intermittent during normal scans.
Attack Vector
In server mode, Dalfox exposes a REST API that, by default, requires no API key. Any unauthenticated network-reachable caller can trigger the panic by submitting a scan request where options.Data is non-empty and the target reflects at least one parameter. Because the panic crashes the entire dalfox process, a single request can take down the scanner instance, denying service to all legitimate users until the process is restarted.
No verified proof-of-concept code is available. See the GitHub Security Advisory GHSA-2g4x-fq3j-cgq4 for upstream technical details.
Detection Methods for CVE-2026-45090
Indicators of Compromise
- Unexpected termination of the dalfox server process with a Go runtime panic stack trace referencing send on closed channel
- Stack traces pointing to pkg/scanning/parameterAnalysis.go and processParams
- Repeated REST API requests containing a populated data field against reflective targets
Detection Strategies
- Monitor dalfox process exit codes and restart frequency in deployments running server mode
- Inspect REST API access logs for unauthenticated POST requests carrying scan options with non-empty data fields
- Correlate process crashes with inbound API traffic timestamps to identify triggering requests
Monitoring Recommendations
- Enable structured logging on the Dalfox REST API and forward to a centralized log platform
- Alert on Go panic signatures containing send on closed channel in container or systemd journal output
- Track availability of the Dalfox endpoint with synthetic health checks to detect outages early
How to Mitigate CVE-2026-45090
Immediate Actions Required
- Upgrade Dalfox to version 2.13.0 or later, which contains the fix for the channel lifecycle issue
- Restrict network exposure of the Dalfox REST API to trusted internal hosts only
- Enable API key authentication on any Dalfox server-mode deployment that must remain reachable
Patch Information
The vulnerability is resolved in Dalfox 2.13.0. The fix corrects the channel close sequencing so that the shared results channel is no longer closed before the POST-body parameter worker stage completes its sends. Refer to the GitHub DalFox Release v2.13.0 notes for upgrade instructions.
Workarounds
- Run Dalfox only in command-line mode and avoid server mode until the upgrade is applied
- Place the Dalfox REST API behind a reverse proxy enforcing authentication and rate limits
- Reject inbound API requests where the data field is populated by unauthenticated clients
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
