CVE-2026-33241

HIGH

Salvo <0.89.3 - DoS

Title source: llm

Description

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.

References (2)

[Vendor Advisory] https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x

[Release Notes] https://github.com/salvo-rs/salvo/releases/tag/v0.89.3

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

crates.io/salvo 0 - 0.89.3crates.io

salvo/salvo < 0.89.3

salvo-rs/salvo < 0.89.3

Published Mar 24, 2026

Tracked Since Mar 24, 2026