Saloon has a Fixture Name Path Traversal Vulnerability
Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal vulnerability in Saloon PHP library's fixture handling allows arbitrary file read/write via crafted fixture names.
Vulnerability
Description Saloon, a PHP library for building API integrations and SDKs, had a path traversal vulnerability in its fixture handling prior to version 4.0.0. Fixture names were used to construct file paths under a configured directory without proper validation, allowing names containing path segments like ../ to escape the intended directory [1][4].
Exploitation
Prerequisites An attacker could exploit this if the fixture name is derived from user-controlled input, such as request parameters or configuration. No authentication is required for exploitation; the process's file system access determines the reachable files [1][4].
Impact
Successful exploitation could lead to reading sensitive files (disclosure) or writing to arbitrary files, potentially overwriting critical system files. This could result in information disclosure or remote code execution in some scenarios [1][4].
Mitigation
The vulnerability is patched in Saloon v4.0.0, which adds validation rejecting dangerous characters and defense-in-depth checks ensuring the resolved path remains under the base directory [1][2]. Users are strongly advised to upgrade [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
saloonphp/saloonPackagist | < 4.0.0 | 4.0.0 |
Affected products
2- saloonphp/saloonv5Range: < 4.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f7xc-5852-fj99ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33183ghsaADVISORY
- docs.saloon.dev/upgrade/upgrading-from-v3-to-v4ghsax_refsource_MISCWEB
- github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.