HIGH 8.1

GHSA-c46w-gr7f-jm2p

Salt vulnerable to arbitrary event injection

Details

Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / salt

Introduced in: 3006.0rc1 Fixed in: 3006.12

Fix pip install --upgrade 'salt>=3006.12'

PyPI / salt

Introduced in: 3007.0rc1 Fixed in: 3007.4

Fix pip install --upgrade 'salt>=3007.4'

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22239 [ADVISORY]
https://github.com/saltstack/salt/commit/41d834bf800d86fc496e4fac2d3875fc2aca7c62 [WEB]
https://docs.saltproject.io/en/3006/topics/releases/3006.12.html [WEB]
https://docs.saltproject.io/en/3007/topics/releases/3007.4.html [WEB]
https://github.com/saltstack/salt [PACKAGE]