Skip to main content

CVE-2026-33183

HIGH
Out-of-bounds Read (CWE-125)
2026-03-25 https://github.com/saloonphp/saloon
8.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 25, 2026 - 22:02 vuln.today
CVE Published
Mar 25, 2026 - 22:00 nvd
HIGH 8.0

DescriptionGitHub Advisory

Impact

Users with MockResponse fixtures that use path traversal.

Patches

Upgrade to Saloon v4+

Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4

Description

Fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defence-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).

Credits

Saloon thanks @HuajiHD for finding the issue and recommending solutions and @JonPurvis for applying the fix.

AnalysisAI

Saloon versions prior to v4 contain a path traversal vulnerability in fixture name handling that allows attackers to read or write files outside the configured fixture directory. Users with MockResponse fixtures derived from untrusted input (such as request parameters or configuration values) are affected, as attackers can use path traversal sequences like ../ or absolute paths to access arbitrary files on the system with the privileges of the running process. The vulnerability has been patched in Saloon v4 with input validation and defense-in-depth path verification.

Technical ContextAI

Saloon is a PHP HTTP client library (CPE: pkg:composer/saloonphp_saloon) that provides fixture and mocking capabilities for testing. The vulnerability exists in the fixture layer where fixture names are directly used to construct file paths under a base fixture directory without proper validation. The root cause is classified under CWE-125 (Out-of-bounds Read) but more specifically manifests as a path traversal flaw (CWE-22 equivalent behavior). When fixture names containing path traversal sequences (../, ..\ backslashes, or absolute paths) are processed, they bypass directory containment checks, allowing the file operations (read during mocking or write during response recording) to target files anywhere on the filesystem. The vulnerability is particularly dangerous when fixture names derive from attacker-controlled sources such as HTTP request parameters, query strings, or externally-provided configuration.

RemediationAI

Upgrade Saloon to version 4.0 or later immediately, which includes input validation rejecting fixture names containing /, \, .., or null bytes, plus defense-in-depth path normalization ensuring resolved paths remain under the base directory. Follow the official upgrade guide at https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4. As a temporary workaround for environments unable to upgrade immediately, restrict fixture name inputs to a strict allowlist (alphanumeric and hyphen/underscore only), avoid deriving fixture names from untrusted sources, and limit file system permissions of the application process to the minimum required directories. In CI/CD or testing environments, run Saloon processes with minimal filesystem privileges and in isolated containers to limit the blast radius of potential exploitation.

Share

CVE-2026-33183 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy