An unauthenticated remote code execution vulnerability in Dalfox allows attackers to execute arbitrary shell commands on the host system.

The server mode deserializes attacker-supplied JSON directly into scan options, allowing an unauthenticated user to inject arbitrary shell commands that the Dalfox process will execute.

With a CVSS score of 10, this is a critical vulnerability that allows an unauthenticated attacker to gain full control over the host running the Dalfox server. This could lead to complete system compromise, data exfiltration, or the use of the host as a pivot point for further attacks.

Immediate Action: Update Dalfox to version 2.13.0 or later to ensure proper validation and stripping of scan options.

Proactive Monitoring: Monitor for unauthorized requests to the Dalfox API and check for unexpected child processes spawned by the Dalfox service.

Compensating Controls: If the Dalfox server must be exposed, implement strong authentication via an API key and restrict access to the service port (6664) using network-level controls.

Public Exploit Available: Unknown

This vulnerability is highly critical and trivial to exploit if the service is exposed to a network. Immediate updates are required, and the service should not be exposed without authentication.