CVE-2026-33183: Path Traversal in Saloon PHP Fixture Management
Vulnerability ID: CVE-2026-33183
CVSS Score: 8.0
Published: 2026-03-25
The Saloon PHP library (versions prior to 4.0.0) is vulnerable to a path traversal flaw in its MockResponse fixture system. Applications that allow user-controlled input to influence fixture names can be coerced into reading or writing files outside the intended base directory, leading to arbitrary file disclosure or file overwrite.
TL;DR
A path traversal vulnerability in Saloon < 4.0.0 allows attackers to read or write arbitrary files via improperly validated fixture names.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS v4.0 Score: 8.0
- Impact: File Disclosure / File Overwrite
- Exploit Status: PoC Available
- Affected Component: MockResponse Fixtures
Affected Systems
- saloonphp/saloon (PHP)
-
saloon: < 4.0.0 (Fixed in:
4.0.0)
Code Analysis
Commit: d418356
Initial fix commit for path traversal in v4 branch.
Commit: 1307b1d
Additional security improvements for SSRF and credential leakage.
Exploit Details
- GitHub Security Advisory: Functional PoC test case available within the library's security test suite demonstrating the write capability outside the base directory.
Mitigation Strategies
- Upgrade to version 4.0.0
- Implement strict input validation for fixture names
- Apply principle of least privilege to PHP process
- Deploy WAF rules blocking traversal patterns
Remediation Steps:
- Identify all instances of
saloonphp/saloonin composer.lock - Update
saloonphp/saloondependency to ^4.0.0 in composer.json - Run
composer update saloonphp/saloon - Review application code to ensure user input is never passed directly to fixture methods
References
Read the full report for CVE-2026-33183 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)