CVE-2026-45090: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in hahwul dalfox
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0.
AI Analysis
Technical Summary
Dalfox, an open-source XSS scanner, had a concurrency flaw in its ParameterAnalysis component before version 2.13.0. Two sequential worker stages write to a shared results channel; the channel is closed after the first stage but reused by the second stage, leading to a Go runtime panic when writing to a closed channel. This causes the entire dalfox process to crash. In server mode, the crash is remotely triggerable by unauthenticated callers via the REST API due to default configuration lacking API key protection and the activation of the second stage when supplied data is reflected by the target. The issue is resolved in dalfox 2.13.0.
Potential Impact
Successful exploitation causes a denial of service by crashing the dalfox process. In server mode, unauthenticated remote attackers can trigger this crash via the REST API, potentially disrupting scanning operations. There is no direct impact on confidentiality or integrity, but availability is affected.
Mitigation Recommendations
Upgrade dalfox to version 2.13.0 or later, where this race condition and crash issue is fixed. Until upgraded, restrict access to the dalfox REST API, especially if running in server mode with default configurations lacking API key protection, to prevent unauthenticated remote triggering of the crash. Patch status is confirmed fixed in version 2.13.0.
CVE-2026-45090: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in hahwul dalfox
Description
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0.
CVSS v3.1
Score 7.5high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Dalfox, an open-source XSS scanner, had a concurrency flaw in its ParameterAnalysis component before version 2.13.0. Two sequential worker stages write to a shared results channel; the channel is closed after the first stage but reused by the second stage, leading to a Go runtime panic when writing to a closed channel. This causes the entire dalfox process to crash. In server mode, the crash is remotely triggerable by unauthenticated callers via the REST API due to default configuration lacking API key protection and the activation of the second stage when supplied data is reflected by the target. The issue is resolved in dalfox 2.13.0.
Potential Impact
Successful exploitation causes a denial of service by crashing the dalfox process. In server mode, unauthenticated remote attackers can trigger this crash via the REST API, potentially disrupting scanning operations. There is no direct impact on confidentiality or integrity, but availability is affected.
Mitigation Recommendations
Upgrade dalfox to version 2.13.0 or later, where this race condition and crash issue is fixed. Until upgraded, restrict access to the dalfox REST API, especially if running in server mode with default configurations lacking API key protection, to prevent unauthenticated remote triggering of the crash. Patch status is confirmed fixed in version 2.13.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T19:27:26.698Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a172e7fe29bf47b50d78ab4
Added to database: 5/27/2026, 5:48:47 PM
Last enriched: 5/27/2026, 6:03:36 PM
Last updated: 5/27/2026, 8:08:28 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.