Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all minions. The un-sanitized input value “jid” is used to construct a path which is then opened for reading. An attacker could exploit this vulnerabilities by attempting to read from a filename that will not return any data, e.g. by targeting a pipe node on the proc file system.

Affected Packages

PyPI salt

Affected versions: 3007.0rc1 (fixed in 3007.4)

PyPI salt

Affected versions: 3006.0rc1 (fixed in 3006.12)

Related CVEs

CVE-2025-22242

Key Information

GHSA ID

GHSA-989c-m532-p2hv

Published

June 13, 2025 9:30 AM

Last Modified

June 13, 2025 9:57 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

salt

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.