High severity8.1NVD Advisory· Published Jun 13, 2025· Updated Apr 15, 2026
CVE-2025-22239
CVE-2025-22239
Description
Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saltPyPI | >= 3006.0rc1, < 3006.12 | 3006.12 |
saltPyPI | >= 3007.0rc1, < 3007.4 | 3007.4 |
Patches
141d834bf800dMinion event filtering
3 files changed · +94 −0
salt/daemons/masterapi.py+24 −0 modified@@ -56,6 +56,27 @@ # Things to do in lower layers: # only accept valid minion ids +MINION_EVENT_BLACKLIST = ( + "salt/job/*/publish", + "salt/job/*/new", + "salt/job/*/return", + "salt/key", + "salt/cloud/*", + "salt/run/*", + "salt/cluster/*", + "salt/wheel/*/new", + "salt/wheel/*/return", + "salt/run/*", + "salt/cloud/*", +) + + +def valid_minion_tag(tag, blacklist=MINION_EVENT_BLACKLIST): + for black in blacklist: + if fnmatch.fnmatch(tag, black): + return False + return True + def init_git_pillar(opts): """ @@ -781,6 +802,9 @@ def _minion_event(self, load): event_data = event["data"] else: event_data = event + if not valid_minion_tag(event["tag"]): + log.warning("Filtering blacklisted event tag %s", event["tag"]) + continue self.event.fire_event(event_data, event["tag"]) # old dup event if load.get("pretag") is not None: self.event.fire_event(
tests/pytests/integration/master/test_minion_event.py+47 −0 added@@ -0,0 +1,47 @@ +import logging + +import salt.channel.client +import salt.config +import salt.crypt +import salt.utils.args +import salt.utils.jid + +log = logging.getLogger(__name__) + + +def test_minoin_event_blacklist(salt_master, salt_minion, salt_cli, caplog): + ret = salt_cli.run("test.ping", minion_tgt=salt_minion.id) + assert ret.returncode == 0 + + opts = salt.config.minion_config(salt_minion.config_file) + opts["master_uri"] = "tcp://{}:{}".format(opts["master"], opts["master_port"]) + + jid = salt.utils.jid.gen_jid(opts) + auth = salt.crypt.SAuth(opts) + tok = auth.gen_token(b"salt") + + load = { + "cmd": "_minion_event", + "tok": tok, + "id": opts["id"], + "events": [ + { + "data": { + "fun": "test.ping", + "arg": [], + "jid": jid, + "ret": "", + "tgt": salt_minion.id, + "tgt_type": "glob", + "user": "root", + "__peer_id": "salt", + }, + "tag": f"salt/job/{jid}/publish", + } + ], + } + with caplog.at_level(logging.WARNING): + with salt.channel.client.ReqChannel.factory(opts) as channel: + channel.send(load, tries=1, timeout=10000) + log.info("payload sent, jid was %s", jid) + assert "Filtering blacklisted" in caplog.text
tests/pytests/unit/daemons/masterapi/test_valid_minion_tag.py+23 −0 added@@ -0,0 +1,23 @@ +import pytest + +import salt.daemons.masterapi + + +@pytest.mark.parametrize( + "tag, valid", + [ + ("salt/job/20160829225914848058/publish", False), + ("salt/key", False), + ("salt/cluster/fobar", False), + ("salt/job/20160829225914848058/return", False), + ("salt/job/20160829225914848058/new", False), + ("salt/wheel/20160829225914848058/new", False), + ("salt/run/20160829225914848058/new", False), + ("salt/run/20160829225914848058/ret", False), + ("salt/run/20160829225914848058/args", False), + ("salt/cloud/20160829225914848058/new", False), + ("salt/cloud/20160829225914848058/ret", False), + ], +) +def test_valid_minion_tag(tag, valid): + assert salt.daemons.masterapi.valid_minion_tag(tag) is valid
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c46w-gr7f-jm2pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-22239ghsaADVISORY
- docs.saltproject.io/en/3006/topics/releases/3006.12.htmlnvdWEB
- docs.saltproject.io/en/3007/topics/releases/3007.4.htmlnvdWEB
- github.com/saltstack/salt/commit/41d834bf800d86fc496e4fac2d3875fc2aca7c62ghsaWEB
News mentions
0No linked articles in our index yet.