anonhaven
Ad

CVE-2026-33241

HIGH CVSS 4.0: 8.7 EPSS 0.02%
Updated Mar 24, 2026
Payload
Parameter Value
CVSS 8.7 (HIGH)
Affected Versions before 0.89.3
Fixed In 0.89.3
Type CWE-770 (Allocation Without Limits)
Vendor Payload
Public PoC No

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service.

Version 0.89.3 contains a patch.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-770 Allocation Without Limits

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Salvo Salvo
cpe:2.3:a:salvo:salvo:*:*:*:*:*:rust:*:*
 0.89.3

References 2

https://github.com/salvo-rs/salvo/releases/tag/v0.89.3
security-advisories@github.com
https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-4984

Payload

8.2

CVE-2026-25100

Payload

4.8

CVE-2026-33532

Payload

4.3

CVE-2019-25649

Payload

6.8

CVE-2019-25648

Payload

6.9