CVE-2026-33241
Received Received - Intake
Out-of-Memory Vulnerability in Salvo Form Data Parsing

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33241
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
salvo salvo to 0.89.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33241 is a Denial of Service (DoS) vulnerability in the Rust web framework Salvo, specifically in its form data parsing implementations such as the `form_data()` method and the `Extractible` macro.

The vulnerability occurs because these components do not enforce payload size limits before reading request bodies into memory. This allows attackers to send extremely large payloads that cause unbounded memory allocation.

As a result, the server can run out of memory (Out-of-Memory or OOM condition), leading to crashes and denial of service.

The issue affects URL-encoded form data, multipart form data, and any extractors using body sources that internally call the vulnerable methods.

The root cause is that the form data reading implementation prioritizes convenience by reading the entire request body before validation and does not apply size-limiting methods automatically.

Impact Analysis

This vulnerability can cause significant impact by allowing attackers to crash your Salvo-based server through resource exhaustion.

  • Service Unavailability: The server can crash due to memory exhaustion caused by processing oversized form payloads.
  • Resource Exhaustion: A single malicious request can consume all available memory, leading to Out-of-Memory conditions.
  • Cascading Failures: In containerized or multi-service environments, OOM crashes can affect other services running on the same host.
  • Low Cost to Attacker: The attack requires minimal bandwidth and no authentication, making it easy to exploit.
  • Increased Attack Surface: Automatic handling of multipart form data can lead to unintended file storage and disk space exhaustion.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unusually large form data payloads being sent to endpoints that use Salvo's form data parsing methods, especially those accepting URL-encoded or multipart form data."}, {'type': 'paragraph', 'content': 'Since the vulnerability causes Out-of-Memory (OOM) conditions and server crashes, detection can also involve monitoring server logs and system metrics for memory exhaustion or crashes related to form data handling.'}, {'type': 'paragraph', 'content': 'Specific commands to detect attempts or effects of this vulnerability are not provided in the available resources.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Salvo to version 0.89.3 or later, which contains a patch that enforces payload size limits before reading request bodies into memory.

Additionally, it is recommended to enforce payload size limits on form data parsing and make multipart file upload handling explicit and opt-in to prevent unintended resource exhaustion.

Monitoring and limiting the size of incoming requests at the network or application level can also help mitigate the risk until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart