High severityNVD Advisory· Published Mar 23, 2026· Updated Mar 25, 2026
Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing
CVE-2026-33241
Description
Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (form_data() method and Extractible macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
salvocrates.io | < 0.89.3 | 0.89.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-pp9r-xg4c-8j4xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33241ghsaADVISORY
- github.com/salvo-rs/salvo/releases/tag/v0.89.3ghsax_refsource_MISCWEB
- github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.