CVE-2025-22238
📋 TL;DR
This CVE describes a directory traversal vulnerability in SaltStack's master cache creation that allows attackers to write or overwrite files outside the intended cache directory. Affected systems are Salt masters running vulnerable versions where minions can submit malicious file cache requests. The vulnerability could lead to arbitrary file writes on the master system.
💻 Affected Systems
- SaltStack Salt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Salt master through arbitrary file writes leading to remote code execution, configuration manipulation, or data corruption.
Likely Case
Limited file manipulation within accessible directories, potentially disrupting Salt operations or planting backdoors.
If Mitigated
No impact if proper network segmentation and access controls prevent unauthorized minion connections.
🎯 Exploit Status
Requires minion access or ability to impersonate minion communications. Directory traversal payloads must bypass any input validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3006.12 or 3007.4
Vendor Advisory: https://docs.saltproject.io/en/3006/topics/releases/3006.12.html
Restart Required: Yes
Instructions:
1. Backup Salt configuration and data. 2. Update Salt master to version 3006.12 or 3007.4 using package manager. 3. Restart Salt master service. 4. Verify all minions reconnect successfully.
🔧 Temporary Workarounds
Restrict minion access
linuxLimit which minions can communicate with the master using firewall rules or Salt's access controls.
iptables -A INPUT -s [trusted_subnet] -p tcp --dport 4505:4506 -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP
Disable file cache if unused
allIf file cache functionality is not required, disable it in master configuration.
echo 'file_cache: False' >> /etc/salt/master
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Salt master from untrusted networks
- Monitor for unusual file write patterns in cache directories and Salt master logs
🔍 How to Verify
Check if Vulnerable:
Check Salt version: if running 3006.x < 3006.12 or 3007.x < 3007.4, system is vulnerable.Check Version:
salt --versions-report | grep -i saltVerify Fix Applied:
Confirm version is 3006.12 or higher, or 3007.4 or higher. Test with controlled minion attempting directory traversal payload.📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in cache operations
- Failed directory traversal attempts in Salt logs
- Multiple cache write errors from single minion
Network Indicators:
- Unusual minion-to-master traffic patterns
- Multiple cache requests with path traversal characters
SIEM Query:
source="salt-master.log" AND (".." OR "../" OR "/etc/" OR "/root/") AND cache