PatchSiren cyber security CVE debrief
CVE-2026-45090 hahwul CVE debrief
A concurrency defect in Dalfox versions prior to 2.13.0 allows unauthenticated remote attackers to crash the application via a malformed scan request. The vulnerability stems from a channel closure race condition in the ParameterAnalysis function where a results channel is closed after the first worker stage completes, but a second stage continues to write to the same closed channel. When processing POST-body parameters with reflected input, this triggers a Go runtime panic. In server mode, the default configuration lacks API authentication, making the crash remotely exploitable by any network-reachable caller who supplies a non-empty data field and targets a reflective parameter. The issue is resolved in version 2.13.0.
- Vendor
- hahwul
- Product
- dalfox
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Dalfox in server mode for automated XSS scanning, particularly those with exposed REST API endpoints. Security teams using Dalfox in CI/CD pipelines or as a service component should prioritize patching to maintain scanning availability.
Technical summary
The vulnerability exists in pkg/scanning/parameterAnalysis.go where ParameterAnalysis orchestrates two sequential worker stages. The first stage closes the results channel at line 438 upon completion. The second stage, which handles POST-body parameter processing (dp), is launched with the same channel reference. When processParams attempts to send paramResult to the closed channel via results <- paramResult, a Go runtime panic occurs. In server mode, this is triggerable remotely because: (1) default configuration has no API key requirement, (2) the second stage activates when options.Data != '', and (3) the target must reflect at least one parameter to reach the vulnerable code path. The fix in 2.13.0 properly coordinates channel lifecycle management between worker stages.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Dalfox to version 2.13.0 or later to eliminate the channel closure race condition
- If immediate patching is not feasible, disable server mode or restrict network access to the Dalfox REST API
- Enable API key authentication in Dalfox server configuration if available, or implement network-level access controls to limit exposure
- Monitor Dalfox process logs for unexpected panics or crashes that may indicate exploitation attempts
- Review custom Dalfox deployments for modifications to parameterAnalysis.go that might reintroduce similar concurrency patterns
Evidence notes
The vulnerability description is sourced from the official CVE record published 2026-05-27 and cross-referenced with the GitHub Security Advisory GHSA-2g4x-fq3j-cgq4. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H confirms network accessibility with low attack complexity, no privileges required, and high availability impact. CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-404 (Improper Resource Shutdown or Release) are identified as primary weakness enumerations.
Official resources
2026-05-27