Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33242 is a high-severity Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component of the Salvo Rust web framework, affecting versions 0.39.0 through 0.89.2.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the `encode_url_path` function fails to properly normalize and re-encode URL path segments containing "../" sequences. Specifically, when an attacker sends encoded path traversal sequences like `%2e%2e` (which decode to `..`), Salvo decodes them to `../` but does not re-encode the dot character during URL path reconstruction.'}, {'type': 'paragraph', 'content': 'As a result, the proxy forwards the raw `../` segments directly to the backend server, allowing an unauthenticated attacker to bypass proxy routing constraints and access unintended backend paths such as protected endpoints or administrative dashboards.'}, {'type': 'paragraph', 'content': 'This issue is due to the encoding set used excluding the dot character, so `../` sequences remain unencoded and are forwarded verbatim, enabling requests like `GET /api/../admin` to bypass API Gateway routing and security checks.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access protected backend paths or administrative dashboards that should be restricted.

Attackers can exploit this flaw to gain unauthorized access to internal services and sensitive endpoints without any privileges or user interaction.

Such unauthorized access can lead to exposure of confidential information, potentially compromising the confidentiality of your systems.

Because the vulnerability is exploitable remotely over the network with low complexity and no authentication, it poses a significant security risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access protected backend paths through the Salvo proxy using path traversal sequences in the URL. Specifically, you can test if the proxy improperly forwards encoded path traversal sequences like "%2e%2e" (which decode to "..") without proper normalization and re-encoding.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending crafted HTTP requests that include encoded path traversal sequences to the proxy and observing if unauthorized backend paths are accessible.'}, {'type': 'paragraph', 'content': 'For example, using curl, you can issue a request like:'}, {'type': 'list_item', 'content': 'curl -s http://127.0.0.1:8080/gateway/api/%2e%2e%2fadmin/index.html'}, {'type': 'paragraph', 'content': 'If this request successfully accesses the `/admin` path or other protected endpoints that should be restricted, it indicates the presence of the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the Salvo framework to version 0.89.3 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch involves properly normalizing URL paths according to RFC 3986 before encoding and forwarding them, ensuring that path traversal sequences like ".." are correctly resolved and not forwarded verbatim.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, consider implementing a custom normalization function that resolves "." and ".." segments in URL paths before they reach the proxy, or use a standard URL handling library to normalize paths.'}, {'type': 'paragraph', 'content': 'Additionally, review and tighten access controls on backend services to limit exposure in case of proxy bypass.'}] [1, 2]

Useful 0 Not Useful 0