salt has 72 known vulnerabilities on the latest version (2016.3.0). DepScope rates its health at 22/100 (critical risk).

What is the latest version of salt?

The latest version of salt is 2016.3.0, released 2025-04-22.

Does salt have known vulnerabilities?

Yes. salt has 72 known vulnerabilities. See depscope.dev/pkg/conda/salt for details.

No, salt is actively maintained. Latest release: 2016.3.0 (2025-04-22).

What are alternatives to salt?

DepScope has no curated alternatives for salt at this time.

What license does salt use?

salt is licensed under Apache License 2.0.

salt

condav2016.3.0

Software to automate the management and configuration of any infrastructure or application at scale

License Apache License 2.0permissive2 versions1 maintainers0 deps142 weekly dl

/ 100

Health

do not use

salt has critical vulnerabilities — do not use

Update to >= 3003.1 to fix known vulnerabilities

Low health score (22/100)
19 high severity vulnerabilities
12 critical vulnerabilities

Health breakdown0 – 100

5/25

maintenance

3/20

popularity

0/25

security

12/15

maturity

2/15

community

Vulnerabilities

12 critical19 high7 medium34 low

Advisories (72)

Severity	ID	Summary	Fixed in
critical	CVE-2020-25592	SaltStack Salt Improper Validation of eauth credentials and tokens in salt-netapi	3002.1
high	CVE-2022-22934	SaltStack Improper Verification of Cryptographic Signature	3003.4
high	CVE-2024-22232	Path traversal in saltstack	3006.6
medium	CVE-2020-17490	SaltStack Salt Allows creating certificates with weak file permissions	3002.1
medium	CVE-2023-34049	Salt preflight script could be attacker controlled	3006.4
high	CVE-2022-22936	SaltStack Salt Authentication Bypass by Capture-replay	3004.1
high	CVE-2017-14696	SaltStack Salt Denial of Service via a crafted authentication request	2017.7.2
high	CVE-2021-25282	SaltStack Salt Directory Traversal vulnerability	3002.3
high	CVE-2025-62348	Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload	3006.17
high	CVE-2017-5200	SaltStack Salt arbitrary command execution in Salt-api via ssh_client	2016.11.2
critical	CVE-2021-3197	SaltStack Salt is vulnerable to shell injection via ProxyCommand argument	3002.3
low	CVE-2022-22935	SaltStack Salt Improper Authentication via Man in the Middle Attack	3004.1
high	CVE-2017-5192	SaltStack Salt Authentication Bypass when using the local_batch client from salt-api	2016.11.2
high	CVE-2022-22967	Salt's PAM auth fails to reject locked accounts	3004.2
critical	CVE-2017-7893	SaltStack Salt allows compromised salt-minions to impersonate the salt-master	2016.3.6
critical	CVE-2021-3148	SaltStack Salt command injection in the Salt-API when using the Salt-SSH client	3002.3
critical	CVE-2017-14695	SaltStack Salt Directory traversal vulnerability in minion id validation	2017.7.2
high	CVE-2021-21996	Exposure of Resource to Wrong Sphere in salt	3003.3
high	CVE-2020-28243	SaltStack Salt command injection via a crafted process name	3002.3
critical	CVE-2020-11651	SaltStack Salt Unauthenticated Remote Code Execution	3000.2

... and 52 more

Threat intelligence

6 actively exploited (CISA KEV)4 likely exploited (EPSS ≥ 0.5)

Threat tier per vulnerability derived from CISA KEV catalog + FIRST.org EPSS scores.

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/conda/salt

First published · 2016-06-10 17:54:48.088000+00:00

Last updated · 2025-04-22 14:56:24.039000+00:00