Login Sign Up

CVE-2021-25283

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows server-side template injection (SSTI) in SaltStack Salt's Jinja renderer, enabling attackers to execute arbitrary code on Salt masters. It affects all SaltStack Salt deployments before version 3002.5. The high CVSS score of 9.8 reflects the potential for complete system compromise.

💻 Affected Systems

Products:
  • SaltStack Salt
Versions: All versions before 3002.5
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable if using the Jinja renderer. The vulnerability exists in the template rendering engine.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on Salt master leading to complete system takeover, data exfiltration, lateral movement across infrastructure, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated attackers exploiting internet-facing Salt masters to execute arbitrary commands, potentially gaining control over managed minions and sensitive configuration data.

🟢

If Mitigated

Limited impact if Salt masters are properly segmented, access is restricted, and network controls prevent external exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward once the vulnerability is understood. Multiple proof-of-concept examples exist in security communities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.5 or later

Vendor Advisory: https://github.com/saltstack/salt/releases

Restart Required: Yes

Instructions:

1. Backup Salt configuration and data. 2. Upgrade to Salt version 3002.5 or later using package manager (yum/apt). 3. Restart Salt master service. 4. Verify all minions reconnect properly.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to Salt master API ports (default 4505-4506) to trusted networks only

iptables -A INPUT -p tcp --dport 4505:4506 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP

Disable External API Access

all

Configure Salt master to only listen on localhost or internal interfaces

Edit /etc/salt/master: set 'interface: 127.0.0.1' or 'interface: INTERNAL_IP'

🧯 If You Can't Patch

  • Implement strict network access controls to Salt master ports (4505-4506)
  • Monitor for suspicious template rendering patterns and Salt API access logs

🔍 How to Verify

Check if Vulnerable:

Check Salt version: salt --version or salt-master --version. If version is below 3002.5, system is vulnerable.

Check Version:

salt --version

Verify Fix Applied:

After upgrade, verify version is 3002.5 or higher and test template rendering functionality works normally.

📡 Detection & Monitoring

Log Indicators:

  • Unusual template rendering patterns in Salt master logs
  • Unexpected commands executed via Salt API
  • Access to Salt API from unauthorized IP addresses

Network Indicators:

  • Unusual traffic to Salt master ports (4505-4506) from external sources
  • Large template payloads in network traffic

SIEM Query:

source="salt-master.log" AND ("template injection" OR "jinja render" OR "SSTI")

📊 Metadata

CVE ID: CVE-2021-25283
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: February 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25283, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)