Denial of Service Vulnerability in SaltStack Products
CVE-2025-22242

5.6MEDIUM

Key Information:

Vendor: Vmware
Status: Salt
Vendor: CVE Published:; 13 June 2025

What is CVE-2025-22242?

A Denial of Service vulnerability exists in SaltStack's Master component, specifically within the 'pub_ret' method. This vulnerability arises from the use of un-sanitized input for the 'jid' parameter, which leads to the construction of file paths that can be exploited. Attackers could leverage this flaw by attempting to read from file names designed to yield no data, such as targeting pipe nodes within the proc file system. This could potentially disrupt the worker processes and lead to service unavailability.

Affected Version(s)

SALT 3006.x < 3006.12

SALT 3007.x < 3007.4

References

https://docs.saltproject.io/en/3006/topics/releases/3006....

https://docs.saltproject.io/en/3007/topics/releases/3007....

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 13, 2025
Vulnerability Reserved
Jan 2, 2025

JSON

Vmware

What is CVE-2025-22242?

Affected Version(s)

References

CVSS V3.1

Timeline