CVE-2026-33241

Name of the Vulnerable Software and Affected Versions Salvo versions prior to 0.89.3

Description Salvo, a Rust web framework, is susceptible to denial of service due to unbounded memory allocation during form data parsing. The form data() method and Extractible macro do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes. The issue affects URL-encoded form data (application/x-www-form-urlencoded), multipart form data (multipart/form-data), and handlers using the #[derive(Extractible)] macro with body sources. The root cause is the FormData::read() implementation prioritizing convenience over safety. The vulnerability can lead to service unavailability, resource exhaustion, and cascading failures in containerized environments. The attack is low cost, requires no authentication, and is difficult to rate-limit. The issue is exploitable on public endpoints and can amplify a small network cost into large memory consumption. Affected endpoints include public API endpoints accepting form data, user registration/profile update handlers, and file upload endpoints using multipart forms.

Recommendations Versions prior to 0.89.3 should be updated to version 0.89.3 or later.