Description
Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.
Published: 2026-03-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Directory Traversal / Access Control Bypass
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in the encode_url_path function of the salvo-proxy component, which fails to normalize "../" sequences and does not re‑encode the "." character, allowing crafted URLs to be forwarded unchanged to the upstream server. An unauthenticated external attacker can exploit this to bypass proxy routing constraints, reaching protected backend paths such as administrative dashboards or other sensitive endpoints. The vulnerability carries a CVSS score of 7.5, indicating a high degree of severity due to the potential for unauthorized access.

Affected Systems

The affected product is the Salvo Rust web framework provided by salvo-rs. Versions ranging from 0.39.0 up to and including 0.89.2 are impacted. Version 0.89.3 contains a fix for the issue.

Risk and Exploitability

The EPSS score indicates a very low probability of exploitation (<1%), and the vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale, pre‑employed attacks are not yet widespread. Nevertheless, the CVSS score and the nature of the flaw mean that an attacker who can send crafted requests to the proxy can gain unauthorized access to backend services. The exploit path does not require authentication or special permissions; it relies solely on manipulating the URL path passed to the proxy component.

Generated by OpenCVE AI on March 24, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Salvo to version 0.89.3 or later.

Generated by OpenCVE AI on March 24, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f842-phm9-p4v4 Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass
History

Wed, 25 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Salvo
Salvo salvo
CPEs cpe:2.3:a:salvo:salvo:*:*:*:*:*:rust:*:*
Vendors & Products Salvo
Salvo salvo

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Salvo-rs
Salvo-rs salvo
Vendors & Products Salvo-rs
Salvo-rs salvo

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.
Title Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Salvo Salvo
Salvo-rs Salvo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:12:45.439Z

Reserved: 2026-03-18T02:42:27.508Z

Link: CVE-2026-33242

cve-icon Vulnrichment

Updated: 2026-03-24T14:13:22.468Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:29.670

Modified: 2026-03-24T19:37:42.130

Link: CVE-2026-33242

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:35:54Z

Weaknesses