CVE-2025-22239: 
Python vulnerability analysis and mitigation

CVE-2025-22239 is a vulnerability discovered in Salt Master that allows arbitrary event injection. The vulnerability was disclosed on June 13, 2025, and affects the Salt Project software. The issue specifically involves the master's "minionevent" method, which can be exploited by an authorized minion to send arbitrary events onto the master's event bus (Wiz Report).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L. The attack requires local access (AV:L) with low attack complexity (AC:L) and high privileges (PR:H). No user interaction (UI:N) is required, and the scope is changed (S:C). The impact includes high confidentiality (C:H), high integrity (I:H), and low availability (A:L) effects (NVD).

The vulnerability allows an authorized minion to inject arbitrary events onto the master's event bus, potentially leading to significant security implications. The high CVSS score of 8.1 indicates severe potential impacts on both confidentiality and integrity of the system, with a lower impact on availability (Salt Docs).

Patches for this vulnerability have been released in Salt versions 3006.12 and 3007.4. Users are advised to upgrade to these patched versions to address the security issue (Salt Docs, Salt Docs).