Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0.
Published: 2026-05-27
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dalfox, an open‑source XSS scanner, contains a flaw in its ParameterAnalysis routine where two sequential worker stages write to the same results channel. The first stage correctly closes the channel after completion, but the second stage—processing POST‑body parameters—continues to write to the already‑closed channel. When a scanned parameter is reflected, a Go runtime panic occurs, which crashes the entire dalfox process. This bug is a classic example of a closed‑channel write leading to denial of service, classified under CWE‑362 and CWE‑404.

Affected Systems

The vulnerability affects the hahwul:dalfox application, specifically all releases prior to version 2.13.0. Any instance of Dalfox running in server mode with the default configuration (no API key) is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the lack of an EPSS metric or KEV listing does not diminish the risk because the flaw is remotely triggerable without authentication via the REST API. The attacker only needs to supply a POST request with a data field that causes a reflected parameter; the second stage then writes to the closed channel and crashes the service. The exploit is straightforward, requiring no privileged access, and the impact is a complete service disruption until the process is restarted or patched.

Generated by OpenCVE AI on May 27, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dalfox to version 2.13.0 or later, which contains the patch that prevents writes to a closed channel.
  • Configure Dalfox in server mode to require an API key or restrict the REST API to trusted network ranges so that unauthenticated users cannot trigger the crash.
  • If an immediate upgrade is not possible, implement a monitoring and auto‑restart mechanism for the Dalfox service to minimize downtime while applying the official fix.

Generated by OpenCVE AI on May 27, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g4x-fq3j-cgq4 Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)
History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0.
Title Dalfox: Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)
Weaknesses CWE-362
CWE-404
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:33:06.856Z

Reserved: 2026-05-08T19:27:26.698Z

Link: CVE-2026-45090

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T18:16:25.003

Modified: 2026-05-27T18:16:25.003

Link: CVE-2026-45090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses