CVE-2026-33242

Name of the Vulnerable Software and Affected Versions Salvo versions 0.39.0 through 0.89.2

Description Salvo, a Rust web framework, contains a Path Traversal and Access Control Bypass issue within its salvo-proxy component. An unauthenticated attacker can bypass proxy routing constraints and access unintended backend paths, such as protected endpoints or administrative dashboards. This is due to the encode url path function failing to properly normalize "../" sequences, forwarding them directly to the upstream server. The function does not re-encode the "." character, allowing attackers to manipulate the URL path. The vulnerability is triggered by sending specially crafted URLs containing encoded "../" sequences, like %2e%2e, which are not correctly sanitized before being passed to the backend server. The backend server then interprets these sequences, potentially granting access to unauthorized resources. The vulnerable code was introduced through a specific commit.

Recommendations Versions 0.39.0 through 0.89.2 should be updated to version 0.89.3 or later. As a temporary workaround, consider implementing a robust path normalization function, such as the provided example, to sanitize the URL path before forwarding it to the upstream server. This function should remove or block any path segments containing "..". Alternatively, utilize a trusted URL parsing and normalization library to ensure proper handling of path components.