CVE-2026-33242
Path Traversal and Access Bypass in Salvo-Proxy Framework
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| salvo | salvo | From 0.39.0 (inc) to 0.89.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33242 is a high-severity Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component of the Salvo Rust web framework, affecting versions 0.39.0 through 0.89.2.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the `encode_url_path` function fails to properly normalize and re-encode URL path segments containing "../" sequences. Specifically, when an attacker sends encoded path traversal sequences like `%2e%2e` (which decode to `..`), Salvo decodes them to `../` but does not re-encode the dot character during URL path reconstruction.'}, {'type': 'paragraph', 'content': 'As a result, the proxy forwards the raw `../` segments directly to the backend server, allowing an unauthenticated attacker to bypass proxy routing constraints and access unintended backend paths such as protected endpoints or administrative dashboards.'}, {'type': 'paragraph', 'content': 'This issue is due to the encoding set used excluding the dot character, so `../` sequences remain unencoded and are forwarded verbatim, enabling requests like `GET /api/../admin` to bypass API Gateway routing and security checks.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access protected backend paths or administrative dashboards that should be restricted.
Attackers can exploit this flaw to gain unauthorized access to internal services and sensitive endpoints without any privileges or user interaction.
Such unauthorized access can lead to exposure of confidential information, potentially compromising the confidentiality of your systems.
Because the vulnerability is exploitable remotely over the network with low complexity and no authentication, it poses a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access protected backend paths through the Salvo proxy using path traversal sequences in the URL. Specifically, you can test if the proxy improperly forwards encoded path traversal sequences like "%2e%2e" (which decode to "..") without proper normalization and re-encoding.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending crafted HTTP requests that include encoded path traversal sequences to the proxy and observing if unauthorized backend paths are accessible.'}, {'type': 'paragraph', 'content': 'For example, using curl, you can issue a request like:'}, {'type': 'list_item', 'content': 'curl -s http://127.0.0.1:8080/gateway/api/%2e%2e%2fadmin/index.html'}, {'type': 'paragraph', 'content': 'If this request successfully accesses the `/admin` path or other protected endpoints that should be restricted, it indicates the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the Salvo framework to version 0.89.3 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch involves properly normalizing URL paths according to RFC 3986 before encoding and forwarding them, ensuring that path traversal sequences like ".." are correctly resolved and not forwarded verbatim.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, consider implementing a custom normalization function that resolves "." and ".." segments in URL paths before they reach the proxy, or use a standard URL handling library to normalize paths.'}, {'type': 'paragraph', 'content': 'Additionally, review and tighten access controls on backend services to limit exposure in case of proxy bypass.'}] [1, 2]