Description
Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.
Published: 2026-03-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Out-of-Memory Condition
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates in Salvo's form data parsing logic, where the size of incoming payloads is not limited before the entire body is read into memory. This omission allows an adversary to send a deliberately massive form payload so that the process exhausts available memory, resulting in a crash or forced restart of the application server. The weakness is a classic unbounded allocation flaw (CWE‑770). Because the failure manifests as service unavailability rather than leakage or control compromise, the primary impact is denial of service.

Affected Systems

Salvo framework from the Rust ecosystem, specifically versions earlier than 0.89.3. The affected component is the form_data() method and Extractible macro used by developers to parse multipart or URL‑encoded form bodies. Updating to Salvo 0.89.3 or newer removes the check and prevents the over‑allocation.

Risk and Exploitability

The severity score of 8.7 (CVSS v3.1) indicates a high risk. The EPSS probability is below 1 %, meaning exploitation is unlikely in the wild, but the omission can be leveraged by an attacker with network access to the web service, simply by crafting a very large HTTP request. Since the vulnerability is not listed in CISA’s KEV catalogue, there is no evidence of active exploitation. The entry point is a publicly exposed HTTP endpoint that accepts form data, so the attack vector is network‑based. Proper mitigation is by installing the patched version.

Generated by OpenCVE AI on March 24, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Salvo to version 0.89.3 or later
  • Verify that no custom form parsing components re‑introduce unbounded allocation
  • Monitor system memory usage and application health metrics to detect potential OOM incidents

Generated by OpenCVE AI on March 24, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pp9r-xg4c-8j4x Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing
History

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Salvo
Salvo salvo
CPEs cpe:2.3:a:salvo:salvo:*:*:*:*:*:rust:*:*
Vendors & Products Salvo
Salvo salvo
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Salvo-rs
Salvo-rs salvo
Vendors & Products Salvo-rs
Salvo-rs salvo

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.
Title Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Salvo Salvo
Salvo-rs Salvo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T19:22:48.083Z

Reserved: 2026-03-18T02:42:27.508Z

Link: CVE-2026-33241

cve-icon Vulnrichment

Updated: 2026-03-25T19:22:16.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:29.517

Modified: 2026-03-24T19:37:58.750

Link: CVE-2026-33241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:53Z

Weaknesses