Dalfox Unauthenticated Remote Denial-of-Service Vulnerability via Closed-Channel Write in Parameter Analysis

A denial-of-service vulnerability has been identified in Dalfox, an open-source XSS scanner, in versions prior to 2.13.0. The issue arises in the ParameterAnalysis function, where two worker stages write to the same results channel. After the first stage completes, the channel is closed, but the second stage, which processes POST-body parameters, is launched using the closed channel. This leads to a Go runtime panic, crashing the Dalfox process. In server mode, the crash can be remotely triggered by any unauthenticated caller who can access the REST API, as the default configuration does not require an API key. The vulnerability activates when the data field is supplied, and the target reflects at least one parameter.

Impact

Exploiting this vulnerability causes the entire Dalfox server process to crash, requiring a manual restart. In-flight scans are lost without results, and under automated process managers, the crash can create a denial-of-service loop.

Reproduction

The vulnerability can be reproduced by sending a POST request to a Dalfox server (running without an API key) with a JSON body that includes a reflective URL and the 'data' field populated. The reflective server must be controlled by the attacker and set to reflect the parameter, triggering the channel write on the closed results channel, which causes the server process to crash.

Remediation

Users are advised to upgrade to Dalfox version 2.13.0, where this vulnerability has been fixed.