Skip to content

feat: add Saloon v4 support (CVE-2026-33182, CVE-2026-33183)#54

Merged
sandervanhooft merged 2 commits intomainfrom
feat/saloon-v4-support
Mar 26, 2026
Merged

feat: add Saloon v4 support (CVE-2026-33182, CVE-2026-33183)#54
sandervanhooft merged 2 commits intomainfrom
feat/saloon-v4-support

Conversation

@sandervanhooft
Copy link
Copy Markdown
Contributor

@sandervanhooft sandervanhooft commented Mar 26, 2026

Problem

Two medium-severity CVEs were published for saloonphp/saloon v3.x on March 25, 2026:

  • CVE-2026-33182: SSRF and credential leakage via absolute URL in endpoint overriding base URL
  • CVE-2026-33183: Fixture name path traversal vulnerability

Both are fixed in Saloon v4.0.0.

Changes

  • Update saloonphp/saloon constraint from ^3.10 to ^3.10|^4.0
  • Update saloonphp/pagination-plugin from ^2.2 to ^2.2|^2.3
  • Update saloonphp/rate-limit-plugin from ^2.0 to ^2.0|^2.5
  • Fix GetAdministrationsRequest and GetAdministrationRequest: use relative paths (/../administrations) instead of absolute URLs. Saloon v4 blocks absolute URLs in endpoints to prevent SSRF.

Tests

All 156 tests pass on both Saloon v3 and v4.

ClawdBot and others added 2 commits March 26, 2026 21:13
feat: add Saloon v4 support (CVE-2026-33182, CVE-2026-33183)
6bff4ff 
- Update saloonphp/saloon constraint to ^3.10|^4.0
- Update pagination-plugin to ^2.2|^2.3 and rate-limit-plugin to ^2.0|^2.5
- Fix Administrations endpoints: use relative paths instead of absolute
  URLs (absolute URLs are blocked in Saloon v4 to prevent SSRF)
@sandervanhooft @github-actions
Fix styling
ca0d9d3
@sandervanhooft sandervanhooft merged commit 4dc9590 into main Mar 26, 2026
2 checks passed
@sandervanhooft sandervanhooft deleted the feat/saloon-v4-support branch March 26, 2026 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sandervanhooft