CVE-2025-46096
📋 TL;DR
A directory traversal vulnerability in Solon v3.1.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via the solon-faas-luffy component. This vulnerability enables attackers to access files outside the intended directory and inject malicious scripts. Organizations using Solon v3.1.2 with the solon-faas-luffy component are affected.
💻 Affected Systems
- Solon
📦 What is this software?
Solon by Noear
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, credentials, or performing actions on behalf of authenticated users.
Likely Case
Attackers conduct reflected XSS attacks by injecting malicious scripts through directory traversal, compromising user sessions and data.
If Mitigated
With proper input validation and output encoding, the impact is limited to failed exploitation attempts with no data compromise.
🎯 Exploit Status
Exploitation details are publicly available in the GitHub issue and gist references, making attacks straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.1.3 or later
Vendor Advisory: https://github.com/opensolon/solon/issues/357
Restart Required: Yes
Instructions:
1. Check current Solon version.
2. Update to v3.1.3 or later using package manager or manual download.
3. Restart the Solon application to apply changes.
🔧 Temporary Workarounds
Disable solon-faas-luffy component
allTemporarily disable the vulnerable component if not required for functionality.
Modify configuration to remove or comment out solon-faas-luffy references.
Implement input validation
allAdd server-side validation to block directory traversal patterns in user inputs.
Implement regex or whitelist validation for file paths in the application code.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with rules to block directory traversal and XSS payloads.
- Restrict network access to the Solon application to trusted users only.
🔍 How to Verify
Check if Vulnerable:
Check if Solon version is 3.1.2 and solon-faas-luffy component is enabled in the configuration.Check Version:
Check the application logs or configuration files for the Solon version string.Verify Fix Applied:
Confirm Solon version is updated to 3.1.3 or later and test for directory traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file path requests containing '../' or similar traversal patterns in access logs.
- Error logs showing failed file access attempts outside expected directories.
Network Indicators:
- HTTP requests with malicious payloads in query parameters or headers targeting the solon-faas-luffy endpoint.
SIEM Query:
source="web_logs" AND (url="*../*" OR user_agent="*script*" OR referer="*javascript:*")