search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Salesforce DX command line interface (CLI) does not adequately protect sfdxurl credentials

Vulnerability Note VU#883754

Original Release Date: 2021-10-04 | Last Revised: 2021-10-05


The default security configuration in Salesforce allows an authenticated user with the Salesforce-CLI to create URL that will allow anyone, anywhere access to the Salesforce GUI with the same administrative credentials without a log trace of access or usage of the API.


The Salesforce-cli interface allows an authenticated user to create an access URL using the CLI interface. This URL can be shared as a link, so anyone who has the link can access this site from anywhere (any IP address or any device) with the same access rights as the creator or the URL. This access is only available for the duration of the access token, however this new access will not be logged or tracked in any way available to the user or to the user's organization. The generated URL requires no user/pass or any form of challenge/response, such as MFA, to verify the identity of the new access. OWASP API Security 2019 recommends a number of protections (relevant sections API2:2019, API6:2019 and API10:2019) of API endpoints that will prevent potential abuse of such API endpoints by malicious actors, including malicious insiders.


An unauthenticated user who gains access to an URL, generated by Salesforce-cli, can perform administrative actions as if logged in with the same rights as the account owner who generated the URL. This includes the ability to add user accounts that have administrative rights, manage existing users or applications, and any other action that is available to the user who generated the URL.


In the Salesforce GUI you can Modify Session Security Settings, it is possible to Lock Sessions to the IP address that the session originated on, which would limit the ability for the URL to be shared with other hosts. The default configuration does not have this lock enabled because it may impact various applications and some mobile devices. It is also possible to lock down sessions using domain names instead of IP addresses. It is recommended that Salesforce customers verify that their applications do not require such untethered or unmonitored access or that using custom generated URL's is currently required in their operations before enforcing the above recommended access control.


Thanks to the reporter, who wishes to remain anonymous, for reporting this vulnerability.

This document was written by Timur Snoke.

Vendor Information

883754 Not Affected

Notified:  2021-07-09 Updated: 2021-10-05

Statement Date:   October 05, 2021

VU#883754.1 Not Affected

Vendor Statement

At Salesforce, Trust is our #1 value, and we take the protection of our customers’ data very seriously. For additional information, please refer to Knowledge Article Number 000363271, Configuration of Salesforce Developer Experience Command Line Interface.


CERT Addendum

The Salesforce-cli can authenticate to the Salesforce GUI with the user's current credentials via an API call. The credentials can be presented as a URL that can be sent via email, thereby opening an authenticated page on the Salesforce GUI. The lack of MFA enables the URL to bypass any additional security checks. This new access from a different location is not logged. The default restriction is the expiration of the access token, but if the URL is accessed before the expiration, the authenticated user can create new administrators or perform other administrative operations that the authenticated user has permission to perform. The attack is prevented by changing the default configuration to [Lock session by IP]]( Salesforce indicates that this control may impact mobile devices or other Salesforce applications, so testing prior to deployment is recommended.

Other Information

Date Public: 2021-10-04
Date First Published: 2021-10-04
Date Last Updated: 2021-10-05 14:53 UTC
Document Revision: 7

Sponsored by CISA.