PT-2026-26302 · Crates.Io · Salvo

Published

2026-03-19

·

Updated

2026-03-19

·

CVE-2026-33241

CVSS v4.0

8.7

High

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Salvo's form data parsing implementations (form data() method and Extractible macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service.

Details

Vulnerability Description

Three attack vectors exist in Salvo's form handling:
  1. URL-encoded form data (application/x-www-form-urlencoded)
  • Request::form data() calls BodyExt::collect(body) which reads the entire body into memory without size checking
  • Affects handlers using req.form data().await directly
  1. Multipart form data (multipart/form-data)
  • Similar unbounded memory allocation during parsing
  • Affects handlers processing multipart uploads
  1. Extractible macro
  • #[derive(Extractible)] with #[salvo(extract(default source(from = "body")))] internally calls form data()
  • Vulnerabilities propagate to all extractors using body sources

Root Cause

The FormData::read() implementation prioritizes convenience over safety by reading entire request bodies before validation. Even when Request::payload with max size() is available, it's not automatically applied in the form parsing path.

PoC

  1. run Extract data from request example in readme.md in docker file with limited memory say 100mb.
  2. Send application/x-www-form-urlencoded OR multipart/form-data payload to the endpoint.
  3. The server process OOM-crashes, instead of returning 413 error.

Impact

Immediate Effects

  • Service Unavailability: Servers crash under memory pressure
  • Resource Exhaustion: Single request can consume all available memory
  • Cascading Failures: In containerized environments, OOM can affect other services

Attack Characteristics

  • Low Cost: Attacker needs minimal bandwidth (header only, body can be streamed)
  • No Authentication: Exploitable on public endpoints
  • Difficult to Rate-Limit: Traditional rate limiting may not prevent single large request
  • Amplification: Small network cost → large memory consumption

Real-World Scenarios

  1. Public API endpoints accepting form data
  2. User registration/profile update handlers
  3. File upload endpoints using multipart forms
  4. Any endpoint using #[derive(Extractible)] with body sources

Suggestion: Make Multipart File Upload Handling Explicit Opt-In

Problem Statement

Currently, Salvo's multipart form data parsing automatically handles file uploads without explicit developer intent. This creates several security and usability concerns:
  1. Unintended File Storage: Developers may unknowingly accept file uploads when they only intended to handle text fields
  2. Disk Space Exhaustion: Automatic file buffering to disk can fill storage without proper limits
  3. Resource Cleanup: Temporary files may not be properly cleaned up if handlers don't expect them
  4. Attack Surface: Endpoints inadvertently become file upload targets

Fix

Allocation of Resources Without Limits

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2026-33241
GHSA-PP9R-XG4C-8J4X

Affected Products

Salvo