Description
Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4
Patch x_refsource_misc
https://github.com/salvo-rs/salvo/commit/7bac30e6960355c58e358e402072d4a3e5c4e1bb#diff-e319bf7afcb577f7e9f4fb767005072f6335d23f306dd52e8c94f3d222610d02R20
Release Notes x_refsource_misc
https://github.com/salvo-rs/salvo/releases/tag/v0.89.3
Scores
CVSS v3
7.5
EPSS
0.0056
EPSS Percentile
42.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (3)
crates.io/salvo
0.39.0 - 0.89.3crates.io
salvo/salvo
0.39.0 - 0.89.3
salvo-rs/salvo
>= 0.39.0, < 0.89.3
Published
Mar 24, 2026
Tracked Since
Mar 24, 2026